DEV543: Secure Coding in C & C++
The C and C++ programming languages are the bedrock for most operating systems, major network services, embedded systems and system utilities. Even though C and, to a lesser extent, C++ are well understood languages, the flexibility of the language and inconsistencies in the standard C libraries have led to an enormous number of discovered vulnerabilities over the years. The unfortunate truth is that there are probably more undiscovered vulnerabilities than there are known vulnerabilities!
This course will cover all of the most common programming flaws that affect C and C++ code. The course will specifically cover the issues identified by the GSSP (GIAC Secure Software Programmer) blueprint for C/C++ with some additional items from the CERT Secure Coding Standard. Each issue is described clearly with examples. Throughout the course students are asked to identify flaws in modern versions of common open-source software to provide hands-on experience identifying these issues in existing code. Exercises also require students to provide secure solutions to coding problems in order to demonstrate mastery of the subject.
- Off by one errors
- Problems with NTBSs
- Causes of buffer overflows
- Causes of heap overflows
- Common memory management errors
- Integer promotion standards
- Side effects of integer promotions
- Common integer errors
- Common semaphore issues
- File I/O errors
- Review process for identifying coding errors
A computer system running any operating system is required. If Windows is in use, VMware Player will be provided on the course DVD to allow the student to run the virtual machines. If you are running Linux or OS X, please come prepared with either VMware Player, VMware Workstation, or VMware Fusion pre-installed.
The actual computer must have a DVD drive, at least 6 gigs of free hard disk space, and at least 2 gigs of RAM. Neither wireless nor a working Ethernet connection is necessary for the class.
If you have additional questions about the laptop specifications, please contact email@example.com.
Who Should Attend
- C Programmers
- C++ Programmers
- Project Managers overseeing coding tasks in C or C++
- Embedded programmers working with C or C++
- Legacy code maintainers
- Code auditors
SANS has done a great job over the years of assisting the industry in performing triage. We've progressed from needing to secure our perimeters, giving advice on how to monitor networks and identify attacks, how to deploy services securely and how to secure operating systems. Now that the triage is done it's time for us to get to the heart of our real problems: we've got a lot of bad code that we're relying on for mission critical applications. This course adds one more tool to your arsenal, allowing you to identify and fix your problems at the source... literally!
- David Hoelzer
Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.
*CPE/CMU credits not offered for the SelfStudy delivery method