Cybersecurity: Software Assurance - Input Validation     New!

On-site
Delivery
Open
Enrollment

I.D.# C1521Printable Description
Duration: 2 Days
April 26-27, 2017 (8:30 a.m. - 4:30 p.m. ) - Troy, Michigan  
October 18-19, 2017 (8:30 a.m. - 4:30 p.m. ) - Troy, Michigan  

Hotel & Travel Information

Organizations are becoming increasingly aware of the importance of developing secure software. This seminar introduces students to the concepts of software assurance which have direct application in all software industries, including automotive and aerospace sectors. The intent of this seminar is to give students an appreciation of the technical challenges associated with software assurance while developing the technical skills necessary to engineer secure software.

Performing input validation is imperative when developing secure software systems as this seminar will demonstrate. A variety of vulnerabilities caused by failure to validate input that potentially allow an attacker to alter intended program execution flow and execute arbitrary (attacker-supplied) code will be examined. Finally, the seminar will enumerate several classes of vulnerabilities associated with input validation and present prevention and mitigation techniques along with methods to test and discover such vulnerabilities.

This seminar will provide in depth coverage of stack- and heap-based buffer overruns, integer overflows and underflows, command injection, Structured Query Language (SQL) injection, cross site scripting, format strings and more. These vulnerability classes account for 50% of the most critical vulnerabilities reported to the National Vulnerability Database (https://nvd.nist.gov/) from 2011 through 2015. Hands-on laboratory exercises will reinforce the principles taught in the course and give students an opportunity to practice their defensive programming skills at finding and mitigating these vulnerabilities.

Attendees will receive a bootable, live CD with a pre-configured environment including additional practice exercises for honing their skills after the seminar.

Learning Objectives
By attending this seminar, you will be able to:

  • Describe the technical challenges associated with software assurance
  • Discover and mitigate vulnerabilities associated with buffer overruns
  • Discover and mitigate vulnerabilities associated with numeric representation (including integer overflows and underflows)
  • Discover and mitigate vulnerabilities associated with command injection
  • Discover and mitigate vulnerabilities associated with format strings
  • Recognize the importance of proper error handling and correct application

Who Should Attend
This seminar is intended for scientists and engineers who want to increase their skills for writing secure software. Other potential students who will benefit from this course include software test engineers seeking testing strategies and methods to discover and mitigate these vulnerabilities in software projects and penetration testers seeking mitigation strategies for discovered vulnerabilities.

Prerequisites
A basic understanding of programming is required. Laboratory exercises mainly use the C and C++ programming languages and are intentionally simple to demonstrate the course material clearly. Linux virtual machines provided include the laboratory materials for the course. For testing purposes, the course includes sample Python test scripts that students may extend as part of the laboratory exercises.

Topical Outline
Day One

  • Overview of Software Assurance (SwA)
    • Definitions
    • Brief history of software failures
    • Security concepts and vulnerability taxonomies
    • Adopting a hacker mindset
  • Protection strategies
  • Vulnerabilities: Description, prevention and mitigation, testing and discovery
    • Buffer overrun
    • Integer overflow/underflow
Day Two
  • Vulnerabilities: Description, prevention and mitigation, testing and discovery
    • Command injection
    • SQL injection*
    • Cross site scripting*
    • Format string vulnerabilities
    • Error handling
* This course partially covers these topic vulnerabilities. The SAE Seminar ID#C1523 Software Assurance: Trust in Web and Network Technologies fully covers these topic vulnerabilities. More information on this seminar will be available on the SAE website soon.

Instructor(s): Dr. Samuel Mantravadi
Dr. Samuel Mantravadi is a Research Engineer at the Embedded, Commercial and Sensors Office of Assured Information Security, Inc. Since joining AIS, Dr. Mantravadi has been applying his knowledge of sensor systems and embedded development to address cybersecurity challenges when connecting processors and networking directly to sensors including medical devices, automobiles, aircraft systems, and other sensor systems. He has a unique combination of experience in embedded software development, testing, reverse engineering and sensor systems along with a strong background in research for the United States Air Force. During his Air Force career, he served in three different directorates of the Air Force Research Laboratory, working on sensor technology development programs for Directed Energy, Basic Research (AFOSR) and the Center for Rapid Innovation. Dr. Mantravadi has published four referred journal and conference papers. He holds an MS in Electrical Engineering from Wright State University and a PhD from the Air Force Institute of Technology.

Fees: $1530.00 ; SAE Members: $1224.00 - $1377.00

1.3 CEUs
You must complete all course contact hours and successfully pass the learning assessment to obtain CEUs.

To register, click Register button at the top of this page and submit the online form, or contact SAE Customer Service at 1-877-606-7323 (724/776-4970 outside the U.S. and Canada) or at CustomerService@sae.org.

For a quote on bringing this course to your company site, fill out a Corporate Learning Solutions Request Form