The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

Modern C++ Security

Course Description

Writing secure code in modern C++ is far from trivial. This course will introduce you to the complexity of working with the C++ family of languages from a security perspective. Learn about some of the major security flaws that can lead to insecure programs and how to combat them. String handling, memory management, integer overflow and wrapping, and format string attacks are all covered.

Learning Objectives

  • Describe the use cases where modern C++ is widely used and how modern C++ helps developers write safer code
  • Apply new best practices to safely manipulate strings
  • Identify unsafe memory handling practices and see how to handle memory safely
  • Apply mitigations to deal with common integer mishandling
  • Understand issues with concurrency and parallelism
  • Describe how the compiler’s optimizer impacts security outcomes in modern C++

Details

Delivery Format: eLearning

Duration: 2 hours

Level: Intermediate

Intended Audience

  • Architects
  • Back-End Developers
  • QA Engineers

Prerequisites

Course Outline

Introduction to Modern C++ Security
  • The Origins of Modern C++
  • How Modern C++ Evolves
  • Modern C++'s Sharp Edges
  • Undefined Behavior

Data Types

  • The Type System
  • Integers
  • Casts
  • Alternative Operator Representations
  • Enumerations

Strings

  • String Handling
  • Secure Strings
  • Secure String Implementation

Interfaces

  • Safer Interfaces
  • Exceptions
  • Interface Qualifiers

Memory Safety

  • Introduction to Memory Safety
  • Use-After-Free and Double-Free
  • Memory Lifetime

Concurrency

  • DirtyCOW
  • Improper Synchronization
  • Performance, Stress, and Scalability Testing

Undefined Behavior

  • Undefined Behavior
  • Avoiding Undefined Behavior
  • No Diagnostic Required

Standard Template Libraries

  • Complexity
  • The STL’s Dark Side
  • STL Containers

Compilers

  • Optimizers
  • More Undefined Behavior
  • No Diagnostic Required (NDR)

Automatic Defenses

  • Stack Canaries
  • Address Space Layout Randomization

Code Reviews

  • Code Review Strategies
  • Avoiding Code Review Noise
  • Handling Legacy Code

Course Wrap Up

Training

Developer Security Training

Equip development teams with the skills and education to write secure code and fix issues faster