Duration: 2 days
January 10–11 (8:30 – 4:30 p.m.)
Location: 3500 Pentagon Blvd, Beavercreek, OH 45431

Organizations are becoming increasingly aware of the importance of developing secure software. Costs related to famous software failures related to input validation vulnerabilities specifically include loss of life, loss of billions of dollars in investments and decades of lost productivity. The overarching theme of most software application exploitations is insufficient or poor input validation. As history has shown, performing proper input validation is a foundational imperative when developing robust and secure software systems as this seminar will demonstrate. This seminar introduces students to common methods attackers use to exploit software and emphasizes how to discover and mitigate input validation vulnerabilities. This seminar has direct application to all industries that develop software systems including national defense, automotive and aerospace sectors. The intent of the seminar is to give students an appreciation of the technical challenges associated with software assurance while developing the technical skills necessary to engineer secure software.

This seminar examines a large variety of vulnerabilities caused by failure to perform sufficient input validation that potentially allow an attacker to alter intended program execution flow and execute arbitrary (attacker-supplied) code possibly leading to complete system compromise. Finally, the seminar will enumerate several classes of vulnerabilities associated with input validation and present prevention and mitigation techniques along with methods to test and discover such vulnerabilities.

This seminar will provide in-depth coverage of buffer overruns, integer overflows and underflows, command injection, Structured Query Language (SQL) injection, cross site scripting, format strings and more. These vulnerability classes account for 50% of the most critical vulnerabilities reported to the National Vulnerability Database from 2011 through 2015. Hands-on laboratory exercises will reinforce the principles taught in the course and give students an opportunity to practice their defensive programming skills at finding and mitigating these vulnerabilities. Attendees will receive a bootable, live CD with a pre-configured environment including additional practice exercises for honing their skills after the seminar.

Learning Objectives

By attending this seminar, you will be able to:

  • Describe the technical challenges associated with software assurance
  • Discover and mitigate vulnerabilities associated with buffer overruns
  • Discover and mitigate vulnerabilities associated with numeric representation (including integer overflows and underflows)
  • Discover and mitigate vulnerabilities associated with command injection
  • Discover and mitigate vulnerabilities associated with format strings
  • Recognize the importance of proper error handling and correct application

Who Should Attend

This seminar is intended for scientists and engineers who want to increase their skills for writing robust and secure software. Other potential students who will benefit from this course include software test engineers seeking testing strategies and methods to discover and mitigate these vulnerabilities in software projects and penetration testers seeking mitigation strategies for discovered vulnerabilities.

Prerequisites

A basic understanding of programming is required. Laboratory exercises mainly use the C and C++ programming languages and are intentionally simple to demonstrate the course material clearly. For testing purposes, the course includes sample Python test scripts that students may extend as part of the laboratory exercises.

Course Content

Day 1

  • Overview of Software Assurance (SwA)
    • Definitions
    • Brief history of software failures
    • Security concepts and vulnerability taxonomies
    • Adopting a hacker mindset
  • Protection strategies
  • Vulnerabilities: Description, prevention and mitigation, testing and discovery
    • Buffer overrun
    • Integer overflow/underflow

Day 2

  • Vulnerabilities: Description, prevention and mitigation, testing and discovery
    • Command injection
    • SQL injection*
    • Cross site scripting*
    • Format string vulnerabilites
    • Error handling

* This course partially covers these topic vulnerabilities. Software Assurance: Trust in Web and Network Technologies fully covers these topic vulnerabilities.

Instructor(s): Thomas Dube

Dr. Thomas Dube is a Senior Cyber Security Analyst at the Embedded, Commercial and Security Office of Assured Information Security, Inc. He has unique combination of experience in software development, testing and reverse engineering along with a strong background in academia where he served as the curriculum chair for a graduate cyber operations program. During his tenure as curriculum chair, his program was only 1 of 7 programs in the U.S. to have all Center of Academic Excellence designations co-sponsored by the Department of Homeland Security and the National Security Agency.

Before joining AIS, Dr. Dube served as an Assistant Professor of Computer Engineering in the Computer Science and Engineering Division of the Air Force Institute of Technology. In this position he taught graduate courses in operating systems, software assurance, reverse engineering and computer networks. Dr. Dube has published 15 IEEE or equivalent archival journal articles and conference papers. He is a Senior Member of the IEEE and also holds one U.S. patent for malware detection technology. He holds an MS degree in Information Assurance and a PhD degree in Computer Engineering from the Air Force Institute of Technology.

System Requirements:

For this class students will need to bring a laptop computer system with at least 4GB of RAM, 2+ USB 2.0 ports, and has the ability to boot an OS from a USB drive or DVD (OS on USB/DVD will be provided).

Class times for this two day class are from 8:30 am until 4:30 pm each day (lunch and snacks will be provided).

This course qualifies for 13 Continuing Education Units (CEUs).

Cancellation Policy: Substitutions allowed up to 1 week prior to event. No refunds after December 12.

Register