Secure Software Development Lifecycle
The training answers the question: how to write secure applications in C? It includes the principles of application security, secure coding, key vulnerability classes, static analysis, dynamic security application testing focusing on fuzzing, and working with sanitizers. Each section ends with a list of practical recommendations that can be immediately applied to your company. The training is a conceptually consistent story about the security of the modern application, promoting solutions used by the most mature organizations.
Day 1 - Static Analysis, Fuzzing
Introduction to secure programming. CWE Top 25
Static analysis - SemGrep
Static analysis - CodeQL, gcc, clang-tidy, cppcheck
Writing static analysis rules
Introduction to fuzzing (to find memory bugs in C/C++)
Fuzzing, sanitizers
Day 2 - Fuzzing, Security boundaries
Getting fuzzing to work with real-world software
Rediscovering CVEs
Fuzzing patterns
App Boundary. Authentication, Authorization
Login screen, session, IDORs, API hacking, etc
Input validation
Day 3 - Security boundaries
OS command injections, path traversals, insecure uploads
Data protection. SQL Injection
Hacking OS boundary
Secure design principles: confidentiality, integrity, availability
Network security and cryptography
Cryptography recommendations
Day 4 - Secure design and development
Threat modelling
Threat modeling exercises
Designing secure software
Memory safety (buffer overflows, use after free, etc.)
Race conditions
Race conditions CTF