Security testing C and C++ applicationsSECT-CCACYCydrillCY-SECT-CCA1<ul>
<li>Getting familiar with essential cyber security concepts</li><li>Understanding security testing methodology and approaches</li><li>Correctly implementing various security features</li><li>Identify vulnerabilities and their consequences</li><li>Learn the security best practices in C and C++</li><li>Input validation approaches and principles</li><li>Getting familiar with security testing techniques and tools</li></ul><p>C/C++ developers and testers</p><ul>
<li>Cyber security basics</li><li>Memory management vulnerabilities</li><li>Memory management hardening</li><li>Security testing</li><li>Common software security weaknesses</li><li>Wrap up</li></ul><h4>Cyber security basics</h4><ul>
<li>What is security?</li><li>Threat and risk</li><li>Cyber security threat types – the CIA triad</li><li>Cyber security threat types – the STRIDE model</li><li>Consequences of insecure software</li></ul><h4>Memory management vulnerabilities</h4><h5>Assembly basics and calling conventions</h5><ul>
<li>x64 assembly essentials</li><li>Registers and addressing</li><li>Most common instructions</li><li>Calling conventions on x64
<ul>
<li>Calling convention – what it is all about</li><li>Calling convention on x64</li><li>The stack frame</li><li>Stacked function calls</li></ul></li></ul><h5>Buffer overflow</h5><ul>
<li>Memory management and security</li><li>Vulnerabilities in the real world</li><li>Buffer security issues</li><li>Buffer overflow on the stack
<ul>
<li>Buffer overflow on the stack – stack smashing</li><li>Exploitation – Hijacking the control flow</li><li>Lab – Buffer overflow 101, code reuse</li><li>Exploitation – Arbitrary code execution</li><li>Injecting shellcode</li><li>Lab – Code injection, exploitation with shellcode</li></ul></li><li>Pointer manipulation
<ul>
<li>Modification of jump tables</li><li>Overwriting function pointers</li></ul></li></ul><h5>Best practices and some typical mistakes</h5><ul>
<li>Unsafe functions</li><li>Dealing with unsafe functions</li><li>Lab – Fixing buffer overflow</li><li>What's the problem with asctime()?</li><li>Lab – The problem with asctime()</li><li>Using std::string in C++</li><li>Unterminated strings</li><li>readlink() and string termination</li><li>Manipulating C-style strings in C++</li><li>Malicious string termination</li><li>Lab – String termination confusion</li><li>String length calculation mistakes</li><li>Off-by-one errors</li><li>Allocating nothing</li><li>Testing for typical mistakes</li></ul><h4>Memory management hardening</h4><h5>Runtime protections</h5><ul>
<li>Runtime instrumentation</li><li>Address Space Layout Randomization (ASLR)
<ul>
<li>ASLR on various platforms</li><li>Lab – Effects of ASLR</li><li>Circumventing ASLR – NOP sleds</li><li>Circumventing ASLR – memory leakage</li></ul></li><li>Non-executable memory areas
<ul>
<li>The NX bit</li><li>Write XOR Execute (W^X)</li><li>NX on various platforms</li><li>Lab – Effects of NX</li><li>NX circumvention – Code reuse attacks
<ul>
<li>Return-to-libc / arc injection</li></ul></li><li>Return Oriented Programming (ROP)
<ul>
<li>Protection against ROP</li></ul></li></ul></li></ul><h4>Security testing</h4><ul>
<li>Security testing vs functional testing</li><li>Manual and automated methods</li><li>Black box, white box, and hybrid testing</li></ul><h5>Security testing methodology</h5><ul>
<li>Security testing – goals and methodologies</li><li>Overview of security testing processes</li><li>Identifying and rating assets
<ul>
<li>Preparation and scoping</li><li>Identifying assets</li><li>Identifying the attack surface</li><li>Assigning security requirements</li><li>Lab – Identifying and rating assets</li></ul></li><li>Threat modeling
<ul>
<li>SDL threat modeling</li><li>Mapping STRIDE to DFD</li><li>DFD example</li><li>Attack trees</li><li>Attack tree example</li><li>Lab – Crafting an attack tree</li><li>Misuse cases</li><li>Misuse case examples</li><li>Risk analysis</li><li>Lab – Risk analysis</li></ul></li><li>Accomplishing the tests</li><li>Reporting, recommendations, and review</li></ul><h4>Common software security weaknesses</h4><h5>Security features</h5><ul>
<li>Authentication</li><li>Password management
<ul>
<li>Inbound password management</li><li>Storing account passwords</li><li>Password in transit</li><li>Lab – Is just hashing passwords enough?</li><li>Dictionary attacks and brute forcing</li><li>Salting</li><li>Adaptive hash functions for password storage</li><li>Password policy</li><li>NIST authenticator requirements for memorized secrets
<ul>
<li>Case study – The Ashley Madison data breach</li><li>The ultimate crack</li><li>Exploitation and the lessons learned</li></ul></li><li>Password database migration</li><li>Testing for password management issues</li><li>Using password cracking tools</li><li>Lab – Password audit with John the Ripper</li></ul></li></ul><h4>Common software security weaknesses</h4><h5>Input validation</h5><ul>
<li>Input validation principles</li><li>What to validate – the attack surface</li><li>Where to validate – defense in depth</li><li>When to validate – validation vs transformations</li><li>Validation with regex</li><li>Injection
<ul>
<li>Injection principles</li><li>Injection attacks</li><li>Code injection</li><li>OS command injection</li><li>Lab – Command injection</li><li>OS command injection best practices</li><li>Avoiding command injection with the right APIs</li><li>Lab – Command injection best practices
<ul>
<li>Case study – Shellshock</li></ul></li><li>Lab - Shellshock</li><li>Testing for command injection</li></ul></li><li>Integer handling problems
<ul>
<li>Representing signed numbers</li><li>Integer visualization</li><li>Integer promotion</li><li>Integer overflow</li><li>Lab – Integer overflow</li><li>Signed / unsigned confusion</li><li>Case study – The Stockholm Stock Exchange</li><li>Lab – Signed / unsigned confusion</li><li>Integer truncation</li><li>Lab – Integer truncation</li><li>Case study – WannaCry</li><li>Best practices
<ul>
<li>Precondition testing</li><li>Postcondition testing</li><li>Best practices in C</li><li>Best practices in C++</li><li>Lab – Integer handling best practices in C++</li></ul></li><li>Testing for numeric problems</li></ul></li><li>Files and streams
<ul>
<li>Path traversal</li><li>Lab – Path traversal</li><li>Path traversal best practices</li><li>Lab – Path canonicalization</li><li>Testing for path traversal</li></ul></li></ul><h4>Security testing</h4><h5>Security testing techniques and tools</h5><ul>
<li>Code analysis
<ul>
<li>Static Application Security Testing (SAST)</li><li>Lab – Using static analysis tools</li></ul></li><li>Dynamic analysis
<ul>
<li>Security testing at runtime</li><li>Penetration testing</li><li>Stress testing</li><li>Dynamic Application Security Testing (DAST)</li><li>Fuzzing</li><li>Fuzzing techniques</li><li>Fuzzing – Observing the process</li><li>American Fuzzy Lop (AFL)</li></ul></li></ul><h4>Wrap up</h4><ul>
<li>Secure coding principles</li><li>Principles of robust programming by Matt Bishop</li><li>Secure design principles of Saltzer and Schroeder</li></ul><h5>And now what?</h5><ul>
<li>Software security sources and further reading</li><li>C and C++ resources</li><li>Security testing resources</li></ul>- Getting familiar with essential cyber security concepts
- Understanding security testing methodology and approaches
- Correctly implementing various security features
- Identify vulnerabilities and their consequences
- Learn the security best practices in C and C++
- Input validation approaches and principles
- Getting familiar with security testing techniques and toolsC/C++ developers and testers- Cyber security basics
- Memory management vulnerabilities
- Memory management hardening
- Security testing
- Common software security weaknesses
- Wrap upCyber security basics
- What is security?
- Threat and risk
- Cyber security threat types – the CIA triad
- Cyber security threat types – the STRIDE model
- Consequences of insecure software
Memory management vulnerabilities
Assembly basics and calling conventions
- x64 assembly essentials
- Registers and addressing
- Most common instructions
- Calling conventions on x64
- Calling convention – what it is all about
- Calling convention on x64
- The stack frame
- Stacked function calls
Buffer overflow
- Memory management and security
- Vulnerabilities in the real world
- Buffer security issues
- Buffer overflow on the stack
- Buffer overflow on the stack – stack smashing
- Exploitation – Hijacking the control flow
- Lab – Buffer overflow 101, code reuse
- Exploitation – Arbitrary code execution
- Injecting shellcode
- Lab – Code injection, exploitation with shellcode
- Pointer manipulation
- Modification of jump tables
- Overwriting function pointers
Best practices and some typical mistakes
- Unsafe functions
- Dealing with unsafe functions
- Lab – Fixing buffer overflow
- What's the problem with asctime()?
- Lab – The problem with asctime()
- Using std::string in C++
- Unterminated strings
- readlink() and string termination
- Manipulating C-style strings in C++
- Malicious string termination
- Lab – String termination confusion
- String length calculation mistakes
- Off-by-one errors
- Allocating nothing
- Testing for typical mistakes
Memory management hardening
Runtime protections
- Runtime instrumentation
- Address Space Layout Randomization (ASLR)
- ASLR on various platforms
- Lab – Effects of ASLR
- Circumventing ASLR – NOP sleds
- Circumventing ASLR – memory leakage
- Non-executable memory areas
- The NX bit
- Write XOR Execute (W^X)
- NX on various platforms
- Lab – Effects of NX
- NX circumvention – Code reuse attacks
- Return-to-libc / arc injection
- Return Oriented Programming (ROP)
- Protection against ROP
Security testing
- Security testing vs functional testing
- Manual and automated methods
- Black box, white box, and hybrid testing
Security testing methodology
- Security testing – goals and methodologies
- Overview of security testing processes
- Identifying and rating assets
- Preparation and scoping
- Identifying assets
- Identifying the attack surface
- Assigning security requirements
- Lab – Identifying and rating assets
- Threat modeling
- SDL threat modeling
- Mapping STRIDE to DFD
- DFD example
- Attack trees
- Attack tree example
- Lab – Crafting an attack tree
- Misuse cases
- Misuse case examples
- Risk analysis
- Lab – Risk analysis
- Accomplishing the tests
- Reporting, recommendations, and review
Common software security weaknesses
Security features
- Authentication
- Password management
- Inbound password management
- Storing account passwords
- Password in transit
- Lab – Is just hashing passwords enough?
- Dictionary attacks and brute forcing
- Salting
- Adaptive hash functions for password storage
- Password policy
- NIST authenticator requirements for memorized secrets
- Case study – The Ashley Madison data breach
- The ultimate crack
- Exploitation and the lessons learned
- Password database migration
- Testing for password management issues
- Using password cracking tools
- Lab – Password audit with John the Ripper
Common software security weaknesses
Input validation
- Input validation principles
- What to validate – the attack surface
- Where to validate – defense in depth
- When to validate – validation vs transformations
- Validation with regex
- Injection
- Injection principles
- Injection attacks
- Code injection
- OS command injection
- Lab – Command injection
- OS command injection best practices
- Avoiding command injection with the right APIs
- Lab – Command injection best practices
- Case study – Shellshock
- Lab - Shellshock
- Testing for command injection
- Integer handling problems
- Representing signed numbers
- Integer visualization
- Integer promotion
- Integer overflow
- Lab – Integer overflow
- Signed / unsigned confusion
- Case study – The Stockholm Stock Exchange
- Lab – Signed / unsigned confusion
- Integer truncation
- Lab – Integer truncation
- Case study – WannaCry
- Best practices
- Precondition testing
- Postcondition testing
- Best practices in C
- Best practices in C++
- Lab – Integer handling best practices in C++
- Testing for numeric problems
- Files and streams
- Path traversal
- Lab – Path traversal
- Path traversal best practices
- Lab – Path canonicalization
- Testing for path traversal
Security testing
Security testing techniques and tools
- Code analysis
- Static Application Security Testing (SAST)
- Lab – Using static analysis tools
- Dynamic analysis
- Security testing at runtime
- Penetration testing
- Stress testing
- Dynamic Application Security Testing (DAST)
- Fuzzing
- Fuzzing techniques
- Fuzzing – Observing the process
- American Fuzzy Lop (AFL)
Wrap up
- Secure coding principles
- Principles of robust programming by Matt Bishop
- Secure design principles of Saltzer and Schroeder
And now what?
- Software security sources and further reading
- C and C++ resources
- Security testing resources3 jours2250.002250.00