Institute for Advanced Professional Studies

Secure Programming Techniques Workshop

Secure Programming Overview:

Secure Programming is the practice of developing software where attention and planning is given to producing robust and reliable applications that operate securely.

Workshop Objectives:

This workshop presents practical programming techniques for developing and enhancing the security of applications. Secure development concepts, techniques and goals are identified. Primary methods of attack and perpetrators are surveyed and concrete recommendations are given to prevent each type of attack. A list of secure programming do's and don'ts is included. Guidelines for both testing software and code reviews are presented.

Upon successful completion of this course, participants will be able to:

  • Explain how to develop secure applications using best practices and common sense
  • Describe how to examine, test, and (where possible) retrofit existing code for an acceptable level of information protection and availability
  • Describe the types of threats applications face
  • Explain the difference between threats and risks
  • Explain the different methods of handing risks: elimination, minimization, acceptance, transference
  • Explain common methods of attack and techniques to help prevent them
  • Describe how to decide how much effort should be spent on protecting information assets
  • Describe the use of Threat Modeling and Threat Trees
  • List fundamental secure programming principles
  • Describe common methods of attack and how to prevent them
  • Explain why security testing is necessary and how it differs from functional testing
  • Describe guidelines for code reviews and explain how to prioritize resources and time in large code bases
  • List available tools for source level security auditing and describe their limitations

IAPS can customize security training to achieve specific organizational objectives by focusing on an organization's computing platforms, work environment and information confidentiality, integrity and availability requirements. We also offer training for corporate management responsible for information protection, and IT users who are an organization's first line of defense and often targeted directly by hackers.

Topic Outline:

  • Overview of Threats and Risks
    • Physical threats
    • Electronic threats
    • The Threat Equation
    • Handling risks in software
  • Survey of Types of Attacks and Attackers
  • Secure Programming Concepts and Principles
    • Designing for security
    • Threat modeling
      • How to decompose a system
      • How to develop and use Threat Trees
    • How much effort should be spent on protecting information?
    • Why deploying redundant security measures is appropriate (practicing "defense in depth")
    • Planning for if/when code fails it does so in a secure manner
    • Executing code with the minimum rights needed to function properly (the principle of "least privilege")
    • Does security though hiding implementation details work ("security through obscurity")?
    • Remaining alert and staying aware
  • Secure Programming Issues and Techniques
    • Implementing authentication
      • username/password
      • biometrics
      • Digital Certificates
      • Commonly used systems such as X.509 Certificate Authentication, Kerberos, Microsoft Passport, etc.
    • Authorization
      • Using Access Control Lists (ACLs)
    • Implementing encryption
    • Using auditing in applications
    • Denial of service attacks and techniques for increasing availability
  • Common Methods of Attack and How to Prevent Them
    • Buffer overflows
      • Protecting against buffer overflows
      • Avoiding dangerous calls
    • Malicious input
      • Input issues and trust boundaries
      • Treating all input as malicious and always validating it
    • Race conditions
      • Avoiding deadlocks
      • Avoiding TOCTOU (Time of Change/Time of Use) race conditions
      • Remedies
    • Spoofing
      • Spoofing types and defenses
  • Secure Programming Do's and Don'ts
  • Security Testing
    • Fundamental differences from functional testing
    • The most common security flaws
    • Using code coverage as a metric
    • Using threat coverage as a metric
    • How to assess the vulnerability of your system
    • How to assess the vulnerability of your own code
    • How to assess the vulnerability of commercial products such as databases, communication packages, server software, operating systems
  • Guidelines for Reviewing Code for Security Flaws
    • How to prioritize time and effort spent
  • Source Level Security Auditing Tools


One day interactive lecture or two days with hands-on labs.

Intended Audience:

This course is designed for all members of the application development team, including programmers, architects, and technical managers. Familiarity with application programming as it applies to each job function is a prerequisite.

Technical Prerequisites:

Familiarity with application programming as it applies to each job function is a prerequisite

Course Format:

Interactive lecture and/or hands-on workshop

© Copyright 2002-2015 Institute for Advanced Professional Studies (IAPS)