Basics of C/C++
The training answers the question: how to write secure applications in C/C++? It includes the principles of application security, secure coding, key vulnerability classes, static analysis, dynamic security application testing focusing on fuzzing, and working with sanitizers. Each section ends with a list of practical recommendations that can be immediately applied to your
application. The training is a conceptually consistent story about the security of the modern application, promoting solutions used by the most mature organizations.
Day 1 - Static Analysis
Introduction - OWASP Top 10, CWE Top 25
Static analysis - SemGrep
Writing SemGrep rules
Static analysis - CodeQL, gcc, clang-tidy, cppcheck
Rules writing
Weggli rules writing
Day 2 - Fuzzing
Introduction to fuzzing and symbolic execution
Fuzzing intro, sanitizers
Getting fuzzing to work with real-world software
Rediscovering CVEs
Fuzzing patterns
KLEE and rediscovering CVEs - part 2
Day 3 - Security boundaries
App Boundary, Authentication, Authorisation
Login screen, session, IDORs, API hacking, etc
Input validation
OS command injections, path traversals, insecure uploads
SQL injection
Hacking OS boundary
Day 4 - Secure design and development
Secure design principles: confidentiality, integrity, availability
Network security and cryptography
Cryptography recommendations
Threat modeling
Threat modeling exercises
Designing secure software
Day 5 - Vulnerability classes
Memory safety
Race conditions
Race conditions CTF
Modern memory safety defenses
UAF remediation
Recap, key takeouts, Q&A, questionnaires