Overview

This three-day course provides a deep dive into secure coding practices for C and C++ applications, following the SEI CERT Secure Coding Standards. Participants will start by understanding fundamental IT security principles and the architecture of ARM processors, including memory layout and stack operations.

The course progresses to analysing how vulnerabilities such as buffer overflows and denial-of-service attacks are exploited and mitigated. It also covers common coding mistakes, XML security, and advanced protection techniques like Address Space Layout Randomization (ASLR) and stack smashing protection. With hands-on exercises using exploitable applications and debugging tools, attendees will learn to identify and prevent security flaws effectively.

Read more +

Prerequisites

  • Basic programming experience with C and/or C++.
  • Familiarity with core programming concepts such as memory allocation and function calls.

Target Audience

  • C and C++ developers working on application development.
  • Software engineers seeking to integrate secure coding practices.
  • IT professionals responsible for securing native code applications.
Read more +

Learning Outcomes

By the end of this course, participants will be able to:

  • Write secure code adhering to SEI CERT Coding Standards.
  • Understand and mitigate buffer overflow attacks using development and runtime protection techniques.
  • Identify and address vulnerabilities such as XML injection and denial of service.
  • Apply compiler options and runtime protections like ASLR and stack smashing protection.
  • Evaluate and resolve common coding errors, including memory management issues and improper exception handling.
  • Leverage tools like debuggers for vulnerability identification and analysis.
Read more +

Course Outline

Day 1: Introduction to IT security and secure coding

  • Fundamentals of IT security and risk.
  • Classification of security flaws, including Landwehr's taxonomy and The Seven Pernicious Kingdoms.
  • Overview of SEI CERT Coding Standards.
  • ARM architecture basics:
    • Memory layout, stack operations, and function calls.
    • Stack frames for recursive and nested functions.
  • Buffer overflow introduction:
  • Stack overflow attacks and return address overwriting.
  • Hands-on exercise: Exploiting a stack overflow using gdb.
  • Fortify compiler options (FORTIFY_SOURCE).
  • ASLR and its limitations.
  • Non-executable memory areas (NX bit).
  • Compiler and runtime protection techniques:

Day 2: Advanced vulnerabilities and mitigations

  • Return-Oriented Programming (ROP):
    • ROP gadgets, return-to-libc attacks, and mitigation techniques.
  • Heap overflow:
  • Memory allocation vulnerabilities and case studies like Heartbleed.
  • XML injection and XXE attacks.
  • Preventing entity-related attacks with sanitisation and validation.
  • Exercise: Identifying and fixing XML injection vulnerabilities.
  • Input validation issues, including integer overflow and truncation.
  • Best practices for memory allocation and avoiding dangling pointers.
  • Exercise: Using smart pointers for safe memory handling.
  • XML security:
  • Common coding errors:

Day 3: Mitigating security risks in C and C++

  • Denial of Service (DoS):
    • Regular expression DoS (ReDoS) and hashtable collisions.
    • Exercise: Identifying and resolving DoS vulnerabilities in C code.
  • Improper error handling:
  • Common issues with catch blocks and their security implications.
  • Exercise: Best practices for error and exception handling.
  • Implementing stack smashing protection and enabling ASLR.
  • Exercise: Securing applications with compiler protections.
  • Applying Matt Bishop’s and Saltzer and Schroeder’s principles.
  • Resources and further readings on secure coding practices.
  • Advanced buffer overflow protection:
  • Principles of secure coding:

Exam and Assessments

  • The are no formal exams for this course.
  • Hands-on lab exercises to reinforce key concepts and techniques.

Read more +

Scademy

In partnership with our Secure Coding partner Scademy.

Click here to view all our Scademy courses.

ELCAS Enhanced Learning Credits Administration Service

 

 

 

 

 

QA is an approved training provider for ELCAS, proud to support service leavers in their transition into the tech industry. Learn more about Elcas approved training here.  

NCSC Assured Training

Continuous Professional Development (CPD)

CPD points can be claimed for NCSC assured training courses at the rate of 1 point per hour of training for NCSC assured training courses (up to a maximum of 15 points).

Why choose QA

Cyber Security learning paths

Want to boost your career in cyber security? Click on the roles below to see QA's learning pathways, specially designed to give you the skills to succeed.

= Required
= Certification
AI Security
Application Security
Cyber Blue Team
Cybersecurity Maturity Model Certification (CMMC)
Cloud Security
Continuity & Resilience
DFIR Digital Forensics & Incident Response
Industrial Controls & OT Security
Information Security Management
NIST Pathway
Offensive Security
Privacy Professional
Reverse Engineer
Secure Coding
Security Auditor
Security Architect
Security Risk
Security Tech Generalist
Vulnerability Assessment & Penetration Testing
Security Tech Generalist