Secure Coding in C and C++

Robert C. Seacord

⏱ 1-day-workshop
intermediate
09:00-18:00, Monday, 31st March 2025
Secure Coding in C and C++ is a full day training course that provides a detailed explanation of common programming errors in C and C++ and describes how these errors can lead to vulnerable software.

Outline

This course concentrates on security issues intrinsic to the C and C++ programming languages and associated libraries.

This course covers specific remediation techniques for each category of security flaws as well as general secure coding practices that help prevent the introduction of vulnerabilities.

Material in this presentation was derived from the Addison-Wesley books Secure Coding in C and C++ and The CERT C Secure Coding Standard.

Agenda

Integer Types Integer Data Types

  • Unsigned integer types
  • Wraparound
  • Signed integer types
  • Signed integer ranges
  • Overflow -Character types
  • Other integer types

Integer Conversions

  • Integer conversion rank
  • Integer promotions
  • Usual arithmetic conversions
  • Conversions to unsigned integer types
  • Conversions to signed integer types
  • Conversion implications

Integer Operations

  • Addition
  • Multiplication
  • Division/remainder
  • Right shift

Exercise: Reviewing Code for Integer Defects

Integer Vulnerabilities

  • Wrap around
  • Conversion error
  • Truncation
  • Non-exceptional

Mitigation Strategies

  • Integer type selection
  • Safe integer operations
  • Compiler Strategies
  • Testing and reviews

Dangerous Optimizations & Dynamic Memory

  • Compiler Optimizations
  • Constant Folding
  • Adding a Pointer and an Integer

Summary

Register now
🏷 Secure coding
🏷 C
🏷 integers
🏷 C++

Robert C. Seacord

Robert C. Seacord is standardization lead at Woven Planet, where he helps standardize software development practices. Robert is an expert on ISO/IEC JTC1/SC22/WG14, the international standardization working group for the C programming language. He is the author of seven books, including Effective C (No Starch, 2020), The CERT C Coding Standard, Second Edition (Addison-Wesley, 2014), Secure Coding in C and C++, Second Edition (Addison-Wesley, 2013), and Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs (Addison-Wesley, 2014). He has also published more than 50 papers on software security, component-based software engineering, web-based system design, legacy-system modernization, component repositories and search engines, and user interface design and development.