$2,500

Secure Software Development

Event Information

Share this event

Date and Time

Location

Location

Attack Research

30 Bonnie View Drive

Los Alamos, NM 87544

View Map

Friends Who Are Going
Event description

Description

Secure Software Development provides a deep understanding of secure coding practices through practical knowledge and experience. Attack Research utilizes offensive knowledge and techniques to teach defensive coding practices. This class establishes a theoretical foundation which evolves into practical examples and exercises. The training dives into the mechanisms of C/C++, shell scripting, and Web Development to help students gain the concepts and knowledge of secure coding. Students will also gain real world experience in the labs that are based upon true vulnerabilities found in the wild.

This class is tailored for customers developing on a POSIX based platform, C/C++, and Web Development but many of the concepts apply to other languages.

Students will leave with an understanding of:

- Secure coding practices for various languages and architectures

- How application vulnerabilities are identified and exploited

- How exploit chaining can lead to greater vulnerability risk classification


Target Audience

  • Software Developers

  • Web Developers

  • Application Developers

  • Code Auditors

  • Penetration Testers

Course Outline

DAY 1

  • Module 1: Introduction
  • Vulnerabilities
  • Security Bugs vs Feature Bugs
  • Risk Rating Bugs
  • Attack Surfaces
  • Secure Development Process
  • Mitigations
  • Module 2: Inputs
  • Finding Inputs
  • Secure Input Handling
  • Black and White Listing
  • Command Injection
  • SQL Injection
  • Cross Site Scripting
  • Other Attacks
  • Input Normalization
  • Input Format Handling


DAY 2

  • Module 3: Memory Corruption
  • Memory Layout
  • Calling
  • HeartBleed Example
  • Memory Exploitation
  • Buffer Overflows
  • Modern Protections
  • String Manipulation
  • Example Coding Errors
  • Dangling Pointers
  • Module 5: Containment
  • Contingency Plans
  • System Permissions
  • Jails and Sandboxes
  • Cryptography 101
  • Password Storage
  • Authenticity and Confidentiality

Course Instructor Bio

This course is taught by a highly experienced member of Attack Research staff. Instructors have over 10 years of experience implementing, supporting, securing, and compromising large and complex multi-platform environments. Instructors are currently engaged in senior level penetration testing of highly secured Windows and UNIX networks and frequently research, develop and deploy custom tools and techniques during engagements.

Tactical Exploitation: Attacking Windows instructors also bring a wealth of knowledge gained from performing incident response on compromised systems in the field including analysis of attacker tools and techniques. Many of the topics covered in the course are taken directly from instructors case studies and represent real world events.

Student Requirements

Students must bring their own machines. Student machines can be of any platform but must have the ability to run a VMWare based virtual machine. Students must also have enough administrative access and understanding of configuring network settings.

Students must have:

- An understanding of basic operating system concepts

- The ability to use command line tools on Windows and Linux

- Basic familiarity of file formats

- Coding Experience (C/C++/C#, Scripting, Web Development, etc.)

Beginner/Intermediate/Advanced:

This course is NOT recommended for advanced vulnerability researchers and exploit developers.

Years of Experience:

1-3 years minimum. But we have seen coders with 20 years experience still making many of these same mistakes.

Course Background

Secure Software Development is a course designed to teach the basics of software development mistakes, attacker mindset and methodologies, exploitation techniques, and best practices. This course has been taught to Attack Research clients in order to improve the SDLC security posture, fulfill PCI requirements, and enhance product security.

This information comes from years of working with software development teams, code auditing, and red team engagements. The class exercises are derived from real world examples seen in the wild and found on client engagements.

Each student works independently and gets a VM with labs, tools, slides and exercises. This course is lecture with exercises and demonstrations to help demonstrate important concepts. The exercises follow a format of having them exploit a particular insecure coding practice, then how to fix it. The goal is to put them into a better understanding of attacker's techniques, how to mitigate them, and think about longer chains of attacks.

We feel our class is different because it draws from our experience as attackers and code auditors. So it comes from that perspective and what we see in the real world. Also it covers multiple platforms and tries to cover the coding practices more conceptually and use lower level languages to better demonstrate the overall concepts that apply to multiple languages.

Students Provided With

Students will be provided a demo VM with exercises and tools. Students will also be given electronic copies of all the slides and labs.

Share with friends

Date and Time

Location

Attack Research

30 Bonnie View Drive

Los Alamos, NM 87544

View Map

Save This Event

Event Saved