• News
• Events
• Activities
• Publications

• about
• contact
• social
• login

• Venue and logistics
• Registration and agenda
• Registered participants
• Home

Secure Code Training

Poznan, Poland, 22 - 23 June 2010

Overview

The GÉANT Security Expertise Delivery (SED) service, which forms part of the Security task in Multi-Domain Services (SA2 Task 4), has been created to ensure the provision of security expertise to GÉANT multi-domain service development activities. Its primary objective is to proactively support the adoption of GÉANT multi-domain services and tools by ensuring security concerns are addressed as an integral part of the service lifecycle.

As part of its effort to fulfil this objective, the SED service, in association with the Software Governance activity (SA4) would like to invite you to a two day Secure Coding training course. The facilitators will include Gerard Frankowski and Tomasz Nowak, who are both from the PSNC Security Team. Day one of the course will first outline the cost of writing insecure code, giving examples of catastrophic software bugs. It will then provide an overview of good security practices, such as proper authentication, appropriate session implementation in Web applications, avoiding information disclosure (with appropriate error handling and logging etc.) and so on. It will also cover other practical considerations (for example, the program is secure within a secure environment; will it be secure in another?).

Next, the course will move on to look at securing web services and using public key infrastructure and x509 certificates, and it will provide a short overview of eduGAIN. Day two will focus on specific vulnerabilities. Each will be described theoretically, and then concrete examples will be provided in one or more popular programming languages, such as Java, C and C++. Participants will also be given the opportunity to complete exercises about each of the vulnerabilities. The vulnerabilities that will be covered will include:

• Using dangerous functions.
• Handling sensitive data.
• Buffer overflows.
• Resource and memory leaks.
• Race conditions.
• Null pointer dereference.
• Format string errors.
• Overflows, off-by-one errors.
• Exception handling.
• Inefficient code patterns.
• Inappropriate access to classes.
• Cross Site Scripting.
• SQL Injection.

Finally, the use (or otherwise) of automated code scanners will be discussed, and some examples of such tools will be given.