The training answers the question: how to write secure applications in C/C++? It includes the principles of application security, secure coding, key vulnerability classes, static analysis, dynamic security application testing focusing on fuzzing, and working with sanitizers. Each section ends with a list of practical recommendations that can be immediately applied to your company. The training is a conceptually consistent story about the security of the modern application, promoting solutions used by the most mature organizations.
Day 1 - Static Analysis
14:00 - 14:50 - Lecture - Introduction to secure programming
15:00 - 15:50 - Lecture - Static analysis - tools
16:00 - 17:00 - Exercise - Finding bugs with SAST tools
Day 2 - Fuzzing
14:00 - 14:50 - Lecture - Introduction to fuzzing
15:00 - 15:50 - Exercise - Getting fuzzing to work with real-world software
16:00 - 17:00 - Exercise - Rediscovering CVEs
Day 3 - Security Boundaries
14:00 - 14:50 - Lecture - App Boundary, Authentication, Authorization
15:00 - 15:50 - Lecture - Input validation
16:00 - 17:00 - Exercise - Security boundary CTFs
Day 4 - Secure design and development
14:00 - 14:50 - Lecture - Threat modelling
15:00 - 15:50 - Lecture - OS command injections, path traversals, insecure uploads
16:00 - 17:00 - Exercise - Race conditions demo and CTF