August 2025 Workshops

Please note that this workshop will be held on 3 non-consecutive days (to allow for participation in the Secure Software by Design Event being held August 19-20):
Monday, August 18
Thursday, August 21
Friday, August 22

Producing secure programs requires secure designs, but even the best designs can lead to insecure programs if developers are unaware of the many security pitfalls inherent in C and C++ programming. This three-day workshop provides a detailed explanation of common programming errors in C and C++ and describes how these errors can lead to code that is vulnerable to exploitation. The workshop concentrates on security issues intrinsic to the C and C++ programming languages and associated libraries. The intent is for this workshop to be useful to anyone in-volved in developing secure C and C++ programs regardless of the specific application.

The workshop assumes basic C and C++ programming skills but does not assume an in-depth knowledge of software security. The ideas pre-sented apply to various development environments, but the examples are specific to Microsoft Visual Studio and Linux/GCC and the Intel 64-bit and 32-bit Architectures (x86-64 and IA-32). Material in this presentation was derived from Secure Coding in C and C++, Second Edition, SEI CERT C Coding Standard (2016 Edition) and SEI CERT C++ Coding Standard (2016 Edition). The two SEI CERT Coding Standards, for C and C++, are both available as free downloads. To learn more about the CERT Secure Coding eLearning and Professional Certificates, please go to: SEI Certificates.

Audience
This workshop is designed for C and C++ developers.

Objectives
This workshop encourages programmers to adopt security best practices and develop a security mindset that can help protect software from tomorrow's attacks, not just today's.
Participants will come away from this workshop with a working knowledge of common programming errors that lead to software vulnerabilities, how these errors can be exploited, and effective mitigation strategies for preventing the introduction of these errors. Participants will learn how to
• improve the overall security of any C or C++ application
• thwart buffer overflows and stack-smashing attacks that exploit insecure string manipulation logic
• avoid vulnerabilities and security flaws resulting from the incorrect use of dynamic memory management functions
• eliminate integer-related problems: integer overflows, sign errors, and truncation errors
• correctly use formatted output functions without introducing format-string vulnerabilities

Topics
Topics will include
• string management
• dynamic memory management
• integer security
• formatted output

Materials
Participants will be expected to download course slides and exercise VM. They can also download (for free) the 2016 Editions of the SEI CERT C Coding Standard and the SEI CERT C++ Coding Standard.

Prerequisites
It is recommended that participants have a basic to intermediate understanding of the C and C++ programming languages. Software security knowledge or experience is not required.

Required Equipment
Students must bring a personal computer equipped with
• 8 GB of RAM required, 16GB of RAM recommended
• 40GB or greater of free drive space
• the latest version of Adobe Reader (this can be downloaded from https://get.adobe.com/reader/)
• the latest version of VMware Workstation Player (this can be downloaded from https://www.vmware.com/products/workstation-player/workstation-player-evaluation.html)

Students are also expected to download the course materials, which will be available at https://???. This material includes an exercise VM, which can be launched using VMWare Player.

The following item is optional. We provide them, but the student is free to substitute their own if they wish:
• C/C++ programming language development environments (compiler, editor, etc.), such as Microsoft Visual Studio

The computer need not connect to the Internet during the course.