Secure Software Development provides a deep understanding of secure coding practices through practical knowledge and experience. Attack Research utilizes offensive knowledge and techniques to teach defensive coding practices. This class establishes a theoretical foundation which evolves into practical examples and exercises. The training dives into the mechanisms of C/C++, shell scripting, and Web Development to help students gain the concepts and knowledge of secure coding. Students will also gain real-world experience in the labs that are based upon true vulnerabilities found in the wild.

This class is tailored for customers developing on a POSIX-based platform, C/C++, and Web Development, but many of the concepts apply to other languages.

Students will leave with an understanding of:

- Secure coding practices for various languages and architectures

- How application vulnerabilities are identified and exploited

- How exploit chaining can lead to greater vulnerability risk classification

Target Audience

• Software Developers

• Web Developers

• Application Developers

• Code Auditors

• Penetration Testers

Course Outline

DAY 1

• Module 1: Introduction
• Vulnerabilities
• Security Bugs vs Feature Bugs
• Risk Rating Bugs
• Attack Surfaces
• Secure Development Process
• Mitigations

• Module 2: Inputs
• Finding Inputs
• Secure Input Handling
• Black and White Listing
• Command Injection
• SQL Injection
• Cross Site Scripting
• Other Attacks
• Input Normalization
• Input Format Handling

DAY 2

• Module 3: Memory Corruption
• Memory Layout
• Calling
• HeartBleed Example
• Memory Exploitation
• Buffer Overflows
• Modern Protections
• String Manipulation
• Example Coding Errors
• Dangling Pointers

• Module 5: Containment
• Contingency Plans
• System Permissions
• Jails and Sandboxes
• Cryptography 101
• Password Storage
• Authenticity and Confidentiality

Course Instructor Bio

This course is taught by a highly experienced member of Attack Research staff. Instructors have over 10 years of experience implementing, supporting, securing, and compromising large and complex multi-platform environments. Instructors are currently engaged in senior-level penetration testing of highly secured UNIX and Windows networks and frequently research, develop, and deploy custom tools and techniques during engagements.

Secure Software Development instructors also bring a wealth of knowledge gained from performing incident response on compromised systems in the field including analysis of attacker tools and techniques. Many of the topics covered in the course are taken directly from instructors' case studies and represent real-world events.

Student Requirements

Students must bring their own machines. They can be of any platform but must have the ability to run a VMWare-based virtual machine. Students must also have enough administrative access and understanding of configuring network settings to change their own machine configurations.

Students must have:

• An understanding of basic operating system concepts

• The ability to use command line tools on Windows and Linux

• Basic familiarity of file formats

• Coding Experience (e.g., C/C++/C#, Scripting, Web Development, etc.)

Level of Experience Needed:

This course is NOT recommended for advanced vulnerability researchers and exploit developers.

1-3 years minimum is recommended; however, we have seen coders with 20 years of experience still making many of these same mistakes.

Course Background

Secure Software Development is a course designed to teach the basics of software development mistakes, attacker mindset and methodologies, exploitation techniques, and best practices in developing secure software. AR clients benefit from this course by improving their company's SDLC security posture, fulfill assessment and auditing requirements, and enhance product security.

This information comes from years of working with software development teams, code auditing, and red team engagements. The class exercises are derived from real-world examples seen in the wild and found during client engagements.

Each student works independently and is provided a VM with labs, tools, slides, and exercises. This course is lecture with exercises and demonstrations to help demonstrate important concepts. Exercises follow a format of having students exploit a particular insecure coding practice and then learning how to secure it. The goal is to give a better understanding of attacker's techniques, learn how to mitigate them, and think about longer chains of attacks.

We feel our class is different because it draws from our actual experiences as attackers and code auditors. The class also covers multiple platforms, covers coding practices more conceptually, and uses lower-level languages for better demonstration of the overall concepts that apply to multiple languages.

Students Provided With

Students will be provided a demo VM with exercises and tools. Students will also be given electronic copies of all the slides and labs.