Based on real-world experience managing the development of multiple security products as well as production software, this secure coding class provides both developers as well as analysis/managers with the right attitude in terms of secure coding.
Rather than a “cookbook” for secure coding in a specific language or platform, this class equips the attendees with samples of how things go wrong when software is not developed with security in mind. As we go through the analysis of these cases, a true understanding of the secure development life-cycle is realized.
Agenda:
- The security issue – background on secure coding
- Presenting the main secure coding realms (with examples):
- Input
- Buffers/Heap overflows
- Formatting (NULLs, casts, etc…)
- Injections
- Data structures
- Canonical representations
- Inter object/process contract breaches
- Access control
- Assumptions and defaults
- Authentication & Authorization pitfalls
- Least privilege concepts
- Common secure coding techniques
- Boundary checks
- Input validation & data cleaning
- Safe casting
- Business process validation (for data representation mainly)
- Defense in depth
- Testing – unit tests, defining bad data tests, “hacking” the application
- Building security into the product design (primer)
Duration: Full day (9 hours).