Study any time, from any device.

Secure Coding for C/C++ Training

Learn the most common programming bugs and their practical mitigation techniques through hands-on exercises that provide full understanding of the root causes of security problems.

Learn secure C/C++ coding

Boot camp overview

Our Secure Coding in C/C++ Boot Camp covers typical C/C++ security programming bugs and common vulnerabilities. The root causes of the problems are explained through a number of easy-to-understand source code examples that depict how to find and correct the issues. The real strength of the training is the numerous hands-on exercises, which help you understand how easy it is for attackers to exploit these vulnerabilities.

The training also provides an overview of practical protection methods that can be applied at different levels (hardware components, operating systems, programming languages, the compiler, the source code or in production) to prevent the occurrence of various bugs, to detect them during development and before market launch, or to prevent their exploitation during system operation. Through exercises specially tailored to these mitigation techniques, you’ll learn how simple it is to eliminate various security problems.

Skill up and get certified, guaranteed

100% Satisfaction Guarantee

If you’re not 100% satisfied with your training at the end of the first day, you may withdraw and enroll in a different Flex Pro or Flex Classroom course.

Knowledge Transfer Guarantee

If an employee leaves within three months of obtaining certification, Infosec will train a different employee at the same organization tuition-free for up to one year.

What's included?

  • Two full days of instruction with an expert instructor
  • Infosec proprietary digital courseware (physical textbooks available to purchase)
  • 90-day access to replays of daily lessons (Flex Pro)
  • 90-day access to hosted labs (Flex Pro)
  • 100% Satisfaction Guarantee

Hands-on exercises

This secure coding boot camp includes a number of easy-to-understand exercises that demonstrate live hacking. You’ll learn to analyze vulnerable code snippets and carry out attacks against them in order to fully understand the root causes of certain security problems. All exercises are prepared in a plug-and-play manner by using a pre-set desktop virtual machine, which provides a uniform development environment.

Award-winning training that you can trust

Rising Star

Partner Award

G2 Crowd Leader

Technical Skills Development Software

Gold Winner

Best Cybersecurity Education Provider

Publisher's Choice

Security Training for Infosec Professionals

Top 20 Company

IT Training

Who should attend

  • C / C++ developers
  • Designers and architects
  • Members or managers of the software development team
  • Anyone who wants to learn more about secure coding in C/C++

Prerequisites

  • Knowledge of C / C++ programming languages
  • Familiarity with memory management
  • Background in OS mechanisms

Why choose Infosec

Your flexible learning experience

Infosec Flex makes expert, live instruction convenient with online and in-person formats tailored to how, when and where you learn best.

Public training boot camps held nationwide

  • Pre-study course materials
  • Live instruction
  • Digital courseware
  • Daily reinforcement materials
  • Catered lunches
  • Infosec community forum access
  • 100% Satisfaction Guarantee
  • Knowledge Transfer Guarantee

Most Popular

Immersive, live-streamed instruction

  • Pre-study course materials
  • Live instruction
  • Digital courseware
  • Daily reinforcement materials
  • Detailed performance reporting
  • Video replays
  • 90-day extended access to materials
  • Infosec community forum access
  • 100% Satisfaction Guarantee
  • Knowledge Transfer Guarantee

Tailored team training at your location

  • Pre-study course materials
  • Live, customized instruction at your location
  • Digital courseware
  • Daily reinforcement materials
  • Detailed team performance reporting
  • Video replays
  • 90-day extended access to materials
  • Infosec community forum access
  • 100% Satisfaction Guarantee
  • Knowledge Transfer Guarantee

Can’t get away for a week?

Learn secure coding on-demand.

Get the cybersecurity training you need at a pace that fits your schedule with a subscription to Infosec Skills. Includes unlimited access to hundreds of additional on-demand courses — plus cloud-hosted cyber ranges where you can practice and apply knowledge in real-world scenarios — all for just $34 a month!

  • 400+ courses
  • 4 cyber range environments
  • 100+ hands-on labs
  • Certification practice exams
  • 50+ learning paths

What you’ll learn

This Secure Coding in C/C++ Boot Camp provides two days of training with a real C/C++ security expert. Our instructors have extensive C/C++ development experience as well as years of experience performing security code reviews. You will learn valuable knowledge and skills, including the ability to:

  • Understand basic concepts of security, IT security and secure coding
  • Realize the severe consequences of non-secure buffer handling
  • Understand the architectural protection techniques and their weaknesses
  • Learn about typical coding mistakes and how to avoid them
  • Be informed about recent vulnerabilities in various platforms, frameworks and libraries

Regularly updated training

Black hat hackers are always changing their tactics to get one step ahead of the good guys. We update our course materials regularly to ensure you learn about the latest C/C++ coding threats — and how to write secure code to prevent those threats.

You're in good company.

"I’ve taken five boot camps with Infosec and all my instructors have been great."

Jeffrey Coa

Information Security Systems Officer

"Comparing Infosec to other vendors is like comparing apples to oranges. My instructor was hands-down the best I’ve had." 

James Coyle

FireEye, Inc.

"I knew Infosec could tell me what to expect on the exam and what topics to focus on most."

Julian Tang

Chief Information Officer

Our clients

FedEx
Microsoft
Bank of America
Defense Information Systems Agency
Symantec

Find your boot camp

Secure Coding for C/C++ Boot Camp details

IT security and secure coding

  • Nature of security
  • IT security related terms
  • Definition of risk
  • IT security vs. secure coding
  • From vulnerabilities to botnets and cybercrime
    • Nature of security flaws
    • Reasons of difficulty
    • From an infected computer to targeted attacks
  • Classification of security flaws
    • Landwehr’s taxonomy
    • The Fortify taxonomy
    • The Seven Pernicious Kingdoms
    • OWASP Top Ten 2013 — Landwehr’s taxonomy

Security relevant C/C++ programming bugs and flaws

  • Exploitable security flaws
  • Protection principles
    • Specific protection methods
    • Protection methods at different layers
    • The PreDeCo matrix of software security
  • x86 machine code, memory layout, stack operations
    • Main registers
    • Most important instructions
    • Flags
    • Control instructions
    • Stack handling and flow control
    • The memory address layout
    • The function calling mechanism in C/C++ on x86
    • Calling conventions
    • The local variables and the stack frame
    • Function calls
    • Prologue and epilogue of a function
    • Stack frame of nested calls
    • Stack frame of recursive functions

Buffer overflow

  • Stack overflow
    • Buffer overflow on the stack
      • Overwriting the return address
      • Exercise BOFIntro
      • Exercise BOFShellcode
    • Protection against stack overflow
      • Stack overflow – prevention (during development)
      • Stack overflow – detection (during execution)
    • Stack smashing protection
      • Stack smashing protection variants
      • Stack smashing protection in GCC
      • Exercise BOFShellcode
      • Effects of stack smashing protection
      • Bypassing stack smashing protection – an example
    • Address Space Layout Randomization (ASLR)
      • Stack randomization with ASLR
      • Using ASLR
      • Circumventing ASLR: NOP sledding
      • Exercise BOFASLR
      • Circumventing ASLR with NOP sledging
    • Non executable memory areas – the NX bit
      • Protection through virtual memory management
      • Access control on memory segments
      • The Never eXecute (NX) bit
      • Exercise BOFShellcode – enforcing NX memory segments
      • Return-to-libc attack – circumventing the NX bit
      • Arc injection / return-to-libc attack
      • Multiple function calls with return-to-libc
    • Return oriented programming (ROP)
      • Exploiting with ROP
      • ROP gadgets
      • Combining the ROP gadgets
      • Exercise BOFROP
  • Heap overflow
    • Memory allocation managed by a doubly-linked list
    • Buffer overflow on the heap
    • Steps of freeing and joining memory blocks
    • Freeing allocated memory blocks
    • TLS Heartbeat Extension
    • Heartbleed – a simple explanation
    • Heartbleed – fix in v1.0.1g
    • Protection against heap overflow

Common coding errors and vulnerabilities

  • Input validation
    • Input validation concepts
    • Integer problems
    • Representation of negative integers
    • Integer ranges
    • Integer representation by using the two’s complement
    • The integer promotion rule in C/C++
    • Arithmetic overflow – spot the bug!
    • Exercise IntOverflow
    • So why ABS(INT_MIN)==INT_MIN?
    • Signedness bug – spot the bug!
    • Widthness integer overflow – spot the bug!
    • A case study – Android Stagefright
    • Stagefright – a quick introduction
    • Some Stagefright code examples – spot the bugs!
    • Integer problem mitigation
    • Avoiding arithmetic overflow – addition
    • Avoiding arithmetic overflow – multiplication
    • Dealing with signed/unsigned integer promotion
    • Safe integer handling in C
    • The SafeInt class for C++
    • Printf format string bug – exploitation
    • Exercise Printf
    • Printf format string exploit – overwriting the return address
    • Mitigation of printf format string problem
    • Some otherinput validation problems
    • Array indexing – spot the bug!
    • The Unicode bug
    • Directory Traversal Vulnerability
    • Shellshock – basics of using functions in bash
    • Shellshock – vulnerability in bash
    • Exercise – Shellshock
    • Shellshock fix and counterattacks
    • Exercise – command override with environment variables
    • Improper use of security features
    • Problems related to the use of security features
    • Insecure randomness
    • Week PRNGs in C
    • Stronger PRNGs in C and Linux
    • Hardware-based RNGs
    • Password management
    • Exercise – Google cracking
    • Password management and storage
    • Special purpose hash algorithms for password storage
    • BDKDF2 and bcrypt implementations in C/C++
    • Some other typical password management problems
  • Improper error and exception handling
    • Typical problems with error and exception handling
    • Empty catch block
    • Overly broad catch
    • Exercise ErrorHandling – spot the bug!
  • Time and state problems
    • Time and state related problems
    • Serialization errors (TOCTTOU)
    • Attacks with symbolic links
    • Exercise TOCTTOU
  • Code quality problems
    • Dangers arising from poor code quality
    • Poor code quality – spot the bug!
    • Unreleased resources
    • Type mismatch – spot the bug!
    • Exercise TypeMismatch

Advice and principles

  • Matt Bishop’s principles of robust programming
  • The security principles of Saltzer and Schroeder

Knowledge sources

  • Vulnerability databases
  • Secure coding sources – a starter kit