Secure Coding in C and C++

	Dates	2009* Prices (USD)
	2009 Dates August 3-6, 2009 (SEI Pittsburgh, PA) November 3-6, 2009 (SEI Arlington, VA) Course Registration Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Phone: 412 / 268-7388 FAX: 412 / 268-7401 Questions: courseregistration@sei.cmu.edu To Register: 2009 Click Here This course may also be offered by arrangement at customer sites. E-mail training-info@cert.org or call +1 412-268-9564 for details. *Course dates and fees are subject to change.	U.S. Course Fee: Industry: $2500 Government: $2000 Academic: $2000 International Course Fee: $3750 Register for 2009 Dates
	Course Description
	Producing secure programs requires secure designs. However, even the best designs can lead to insecure programs if developers are unaware of the many security pitfalls inherent in C and C++ programming. This four-day course provides a detailed explanation of common programming errors in C and C++ and describes how these errors can lead to code that is vulnerable to exploitation. The course concentrates on security issues intrinsic to the C and C++ programming languages and associated libraries. The intent is for this course to be useful to anyone involved in developing secure C and C++ programs regardless of the specific application. Please note: you must bring a laptop computer equipped with the latest version of Adobe Reader and VMware Player. See the Prerequisites section for download information. The course assumes basic C and C++ programming skills but does not assume an in-depth knowledge of software security. The ideas presented apply to various development environments, but the examples are specific to Microsoft Visual Studio and Linux/GCC and the 32-bit Intel Architecture (IA-32). Material in this presentation was derived from the Addison-Wesley books Secure Coding in C and C++ and The CERT C Secure Coding Standard.
	Audience · Prerequisites · Objectives · Logistics
	AUDIENCE This course is designed for C and C++ developers. Subjects covered in the first two days are general, but examples are taken from both the Microsoft Visual Studio and GCC compilers on Windows and Linux platforms. Course material on integers uses examples from the IA-32 architecture. The third and fourth days of the course focus on POSIX platforms. Doug Lea's malloc (dlmalloc) is used to demonstrate exploits in the Linux environment, while the file I/O sections focus on UNIX and the UNIX file system (UFS). PREREQUISITES It is recommended that participants have a basic to intermediate understanding of the C and C++ programming languages. Software security knowledge or experience is not required. Required Equipment Students must bring a personal computer equipped with 3GB or greater of free hard disk space C and C++ programming language development environments (compiler, editor, etc.) CD-ROM or memory stick the latest version of Adobe Reader (this can be downloaded from http://www.adobe.com/products/acrobat/readstep2.html) the latest version of VMware Player (this can be downloaded from http://www.vmware.com/download/player/) TOPICS string management dynamic memory management integral security formatted output file I/O OBJECTIVES Participants should come away from this course with a working knowledge of common programming errors that lead to software vulnerabilities, how these errors can be exploited, and effective mitigation strategies for preventing the introduction of these errors. In particular, participants will learn how to improve the overall security of any C or C++ application thwart buffer overflows and stack-smashing attacks that exploit insecure string manipulation logic avoid vulnerabilities and security flaws resulting from the incorrect use of dynamic memory management functions eliminate integer-related problems: integer overflows, sign errors, and truncation errors correctly use formatted output functions without introducing format-string vulnerabilities avoid I/O vulnerabilities, including race conditions Moreover, this course encourages programmers to adopt security best practices and develop a security mindset that can help protect software from tomorrow's attacks, not just today's. Course Materials The Secure Coding in C and C++ and The CERT C Secure Coding Standard books authored by Robert C. Seacord and published by Addison-Wesley will be provided. Participants will also receive a CD containing course and reference materials. LOGISTICS Class Schedule This is four-day class meets at the following times: Days 1-4, 9:00 a.m. - 5:00 p.m. (U.S. Locations) Days 1-4, 9:30 a.m. - 5:30 p.m. (non-U.S. Locations) Hotel and Travel Information Information about traveling to the SEI offices is available on our Travel and Lodging Web pages. Questions about this course? Please see our Frequently Asked Questions Web page for answers to some of the more common inquiries about SEI Education and Training. If you need more information, contact us via e-mail at training-info@cert.org or telephone at +1 412-268-9564.


	Related Products and Services
	Publications CERT Secure Coding Standards Specification for Managed Strings Related Podcasts Building More Secure Software Developing Secure Software: Universities as Supply Chain Partners How to Start a Secure Software Development Program Mainstreaming Secure Coding Practices
	Course Registration
	Register for 2009 Dates
^ TOP

	Course Offerings
	Prices
	Locations, Travel, and Lodging
	Cancellation Policy
	Courses FAQ
	Privacy Information (FERPA)
	Registration
	Contact Information
	Credentials Program
	SEI Certification