Length: 2 Days
Print Friendly, PDF & Email

C++ Secure Coding with MISRA Compliance (2-Day Certification) by Tonex

C Programming for Security Professionals Workshop

This 2-day format ensures that participants receive both theoretical knowledge and practical application, preparing them for the certification exam at the end. Each module builds upon the previous one, starting from cybersecurity fundamentals, secure coding standards, and concluding with advanced testing and secure coding principles.

The course provides participants with a comprehensive understanding of secure C++ coding practices, with a focus on achieving MISRA compliance. The course covers the fundamentals of cybersecurity, introduces secure coding standards like MISRA, SEI CERT, and ISO 26262, and dives into best practices for mitigating common software vulnerabilities such as integer overflow, injection attacks, and path traversal.

Participants will also learn about static and dynamic security testing techniques, enabling them to identify and mitigate security risks in C++ codebases. The course concludes with a certification exam to validate the participants’ knowledge and skills.

Learning Objectives:
By the end of this course, participants will be able to:

  • Understand the basic principles of cybersecurity and the risks associated with insecure software.
  • Explain the structure, purpose, and usage of MISRA C++, AUTOSAR C++14, and SEI CERT Coding Standards.
  • Identify and mitigate common software security weaknesses, including input validation errors, integer handling issues, and code injection vulnerabilities.
  • Apply secure coding principles to error and exception handling in C++.
  • Demonstrate effective use of security testing techniques, including static analysis, dynamic analysis, and fuzzing, to identify vulnerabilities.
  • Map coding practices to the MISRA standard and ensure compliance with relevant industry standards such as ISO 26262 and ISO 17961.
  • Implement best practices for secure C++ development, improving software robustness and security.

Target Audience:
This course is designed for:

  • C++ Developers who want to enhance their skills in secure coding and ensure MISRA compliance in their software projects.
  • Software Engineers working in industries like automotive, aerospace, and defense, where MISRA C++ and related standards are critical.
  • Security Professionals looking to deepen their understanding of software security weaknesses in C++ applications.
  • System Architects and Project Managers who need to understand secure software development processes and best practices to ensure compliance with industry standards.

Prerequisites:

  • Participants should have a basic to intermediate understanding of C++ programming. Familiarity with basic cybersecurity concepts is beneficial but not mandatory.

Course Agenda:

Module 1: Cybersecurity Basics

  • What is Security?
  • Threats and Risks
  • Cybersecurity Threat Types – The CIA Triad (Confidentiality, Integrity, Availability)
  • Consequences of Insecure Software

Module 2: Introduction to MISRA C++ Compliance

  • MISRA Overview
  • MISRA C++ 2008 vs. MISRA C++ 2023
  • AUTOSAR C++14 Overview
  • SEI CERT Coding Standards
  • Rules and Recommendations
  • SEI CERT C++ Coding Standard
  • ISO 26262 and ISO 17961 Overview
  • JSF++ Overview

Module 3: Common Software Security Weaknesses

  • Software Weakness Overview
  • Input Validation Principles
  • What to Validate: Identifying the Attack Surface
  • Where to Validate: Defense in Depth
  • When to Validate: Validation vs Transformations
  • Allowlist vs Denylist Strategies
  • Encoding Challenges and Output Sanitization
  • Unicode Handling
  • Regular Expression Denial of Service (ReDoS)

Module 4: Integer Handling Problems and Secure Practices

  • Signed and Unsigned Numbers
  • Integer Overflow and Truncation
  • Case Study: WannaCry
  • MISRA Essential Type Model
  • Best Practices in Integer Handling
  • Upcasting, Precondition and Postcondition Testing
  • Using Big Integer Libraries

Module 5: Secure Coding Standards for Input Validation and Injection Prevention

  • Injection Flaws (Code Injection, OS Command Injection, SQL Injection)
  • Case Study – Shellshock & Jeep Cherokee Command Injection
  • Secure Process Control (Library Injection)
  • Files and Streams
  • Path Traversal and Canonicalization
  • Wrap-Up & Q&A (15 min)
  • Recap of Day 1 topics and preparation for Day 2.

Module 6: Error and Exception Handling in C++

  • Secure Error and Exception Handling
  • Returning Misleading Status Codes
  • Using std::optional Safely
  • Secure Exception Handling in C++

Module 7: Code Quality and Security Best Practices

  • Importance of Code Quality for Security
  • Type Mismatches and Safe Initialization
  • Object-Oriented Programming Pitfalls
  • Access Modifiers, Inheritance, and Object Slicing
  • Safe Copy Operators and Mutability Handling

Module 8: Security Testing Techniques

  • Manual vs Automated Security Testing
  • Black Box, White Box, and Hybrid Testing Approaches
  • Static Application Security Testing (SAST)
  • Demo – Static Analysis Tools in Action
  • Dynamic Application Security Testing (DAST)
  • Fuzzing and Observing the Process
  • Demo – Using American Fuzzy Lop (AFL) for Fuzzing

Module 9: Secure Coding Principles and Wrap-up

  • Principles of Robust Programming by Matt Bishop
  • Secure Design Principles of Saltzer and Schroeder
  • Best Practices in Secure C++ Programming
  • Mapping to MISRA, SEI CERT, and ISO Standards

Final Review and Exam Preparation

  • Recap of Key Concepts
  • Exam Format Overview
  • Q&A Session

Course Exam and Certification

Exam Format: The course concludes with a 1-hour exam, which will include multiple-choice questions and coding challenges based on the topics covered during the course.

  • Passing Criteria: To pass the exam, participants must score 70% or higher.
  • Certification: Upon successful completion of the exam, participants will receive a Certified Secure C++ Developer certification, indicating proficiency in secure coding practices with MISRA compliance.

Request More Information

Please enter contact information followed by your questions, comments and/or request(s):
  • Please complete the following form and a Tonex Training Specialist will contact you as soon as is possible.

    * Indicates required fields

  • This field is for validation purposes and should be left unchanged.

Request More Information

  • Please complete the following form and a Tonex Training Specialist will contact you as soon as is possible.

    * Indicates required fields

  • This field is for validation purposes and should be left unchanged.