CppCon 2018: “Secure Coding Best Practices: Your First Line Is The Last Line Of Defense (1 of 2)”
http://CppCon.org
Matthew Butler “Secure Coding Best Practices: Your First Line Is The Last Line Of Defense (part 1 of 2)”
—
Presentation Slides, PDFs, Source Code and other presenter materials are available at: https://github.com/CppCon/CppCon2018
—
Computer systems are under siege 24 hours a day, day in and day out. The critical security infrastructure designed to protect those systems, won't:
* Perimeter security won't protect you.
* Network analytics won't protect you.
* Virus scanners won't protect you.
* Even the users who should know better than to click on that too-good-to-be-true offer won't protect you.
The other side has the best security hardware and software systems other people's money can buy and they have all the time in the world to find creative ways to defeat them. Meltdown and Spectre are prime examples of security vulnerabilities that have lurked dormant for decades. Or have they? If your systems are in any way connected to the outside world, the other side will get inside the wire on you. Know that going in.
Whether you write applications, libraries or work in kernel code, the line of code you write today may very well be the vulnerability someone else finds tomorrow. By nature every code base contains hundreds of attack surfaces and it only takes one serious vulnerability to compromise your system.
While Modern C++ is designed to be secure, the ways we use it often aren't.
In part one of this talk we'll see:
* How hackers think and how they identify weaknesses in our systems.
* How to identify hidden attack surfaces, attack vectors and vulnerabilities in critical systems.
* Where the most common vulnerabilities in Modern and classic C++ are and how to avoid them.
* Why avoiding parts of the language doesn't help.
* Where we can trade off security for performance.
At the end of part one, we'll do a walkthrough of a classic buffer overflow exploit to see how it works and what we've added to the operating systems and compilers to protect against them. Then we'll use it live to run a privilege escalation exploit and gain admin access on a system.
In part two, we'll see:
* Why common guidelines and static analysis tools often fail to find vulnerabilities.
* How to use Threat Modeling to analyze complex systems and build security into our systems at design time.
* How to use Trust Boundaries to protect critical infrastructure.
* Why open source and third-party libraries are fast becoming hidden liabilities in our software and how to protect ourselves against their vulnerabilities.
* What the best practices for protecting our code from attack are.
At the end of part two, we'll do a walkthrough of an exploit that can be successful today in spite of the safe guards built into our operating systems and compilers. Then, as before, we'll use it live to penetrate a system.
The critical security infrastructure designed to protect your systems is largely out of your control. The one thing you can control is the next line of code you write. This talk is for anyone that uses C++ or Modern C++ for kernel, applications or libraries that run in the real-world and that face real-world attacks.
In today's world, that's all of us.
—
Matthew Butler
Matthew Butler has spent the last three decades as a systems architect and software engineer developing systems for network security, law enforcement and the military. He primarily works in signals intelligence using C, C++ and Modern C++ to build systems running on hardware platforms ranging from embedded micro-controllers to FPGAs to large-scale airborne platforms. Much of his experience has come in either building systems that defend against attackers or building highly sensitive systems that are targets. He is actively involved in the C++ community and is on various planning committees for C++Now and CppCon as well as being a speaker at both.
Over the past thirty years, he has learned the harsh lessons on how we often write systems that fail, not because they don't scale, but because they aren't designed to be secure.
—
Videos Filmed & Edited by Bash Films: http://www.BashFilms.com
Видео CppCon 2018: “Secure Coding Best Practices: Your First Line Is The Last Line Of Defense (1 of 2)” канала CppCon
Matthew Butler “Secure Coding Best Practices: Your First Line Is The Last Line Of Defense (part 1 of 2)”
—
Presentation Slides, PDFs, Source Code and other presenter materials are available at: https://github.com/CppCon/CppCon2018
—
Computer systems are under siege 24 hours a day, day in and day out. The critical security infrastructure designed to protect those systems, won't:
* Perimeter security won't protect you.
* Network analytics won't protect you.
* Virus scanners won't protect you.
* Even the users who should know better than to click on that too-good-to-be-true offer won't protect you.
The other side has the best security hardware and software systems other people's money can buy and they have all the time in the world to find creative ways to defeat them. Meltdown and Spectre are prime examples of security vulnerabilities that have lurked dormant for decades. Or have they? If your systems are in any way connected to the outside world, the other side will get inside the wire on you. Know that going in.
Whether you write applications, libraries or work in kernel code, the line of code you write today may very well be the vulnerability someone else finds tomorrow. By nature every code base contains hundreds of attack surfaces and it only takes one serious vulnerability to compromise your system.
While Modern C++ is designed to be secure, the ways we use it often aren't.
In part one of this talk we'll see:
* How hackers think and how they identify weaknesses in our systems.
* How to identify hidden attack surfaces, attack vectors and vulnerabilities in critical systems.
* Where the most common vulnerabilities in Modern and classic C++ are and how to avoid them.
* Why avoiding parts of the language doesn't help.
* Where we can trade off security for performance.
At the end of part one, we'll do a walkthrough of a classic buffer overflow exploit to see how it works and what we've added to the operating systems and compilers to protect against them. Then we'll use it live to run a privilege escalation exploit and gain admin access on a system.
In part two, we'll see:
* Why common guidelines and static analysis tools often fail to find vulnerabilities.
* How to use Threat Modeling to analyze complex systems and build security into our systems at design time.
* How to use Trust Boundaries to protect critical infrastructure.
* Why open source and third-party libraries are fast becoming hidden liabilities in our software and how to protect ourselves against their vulnerabilities.
* What the best practices for protecting our code from attack are.
At the end of part two, we'll do a walkthrough of an exploit that can be successful today in spite of the safe guards built into our operating systems and compilers. Then, as before, we'll use it live to penetrate a system.
The critical security infrastructure designed to protect your systems is largely out of your control. The one thing you can control is the next line of code you write. This talk is for anyone that uses C++ or Modern C++ for kernel, applications or libraries that run in the real-world and that face real-world attacks.
In today's world, that's all of us.
—
Matthew Butler
Matthew Butler has spent the last three decades as a systems architect and software engineer developing systems for network security, law enforcement and the military. He primarily works in signals intelligence using C, C++ and Modern C++ to build systems running on hardware platforms ranging from embedded micro-controllers to FPGAs to large-scale airborne platforms. Much of his experience has come in either building systems that defend against attackers or building highly sensitive systems that are targets. He is actively involved in the C++ community and is on various planning committees for C++Now and CppCon as well as being a speaker at both.
Over the past thirty years, he has learned the harsh lessons on how we often write systems that fail, not because they don't scale, but because they aren't designed to be secure.
—
Videos Filmed & Edited by Bash Films: http://www.BashFilms.com
Видео CppCon 2018: “Secure Coding Best Practices: Your First Line Is The Last Line Of Defense (1 of 2)” канала CppCon
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
CppCon 2018: “Secure Coding Best Practices: Your First Line Is The Last Line Of Defense (2 of 2)”
CppCon 2018: Simon Brand “How C++ Debuggers Work”
"This ONE SIMPLE Secret Will Completely CHANGE YOUR LIFE Today!"| Navy Seal William McRaven
Writing Secure Node Code: Understanding and Avoiding the Most Common Node.js Security Mistakes
Comparing C to machine language
Drinking from the Fire Hose: Keeping up with the evolving landscape of C++ - Brian Ruth - CppCon
CppCon 2019: David Olsen “Faster Code Through Parallelism on CPUs and GPUs”
Is Coding Important for Cyber Security?
CppCon 2017: Nir Friedman “What C++ developers should know about globals (and the linker)”
Which Programming Languages Should You Learn for Cybersecurity 2019
CppCon 2018: JF Bastien “Signed integers are two's complement”
Secure Coding Training Course (Lesson 1 of 5) | Introduction | Software Development | Cybrary
JavaScript Security: Hide your Code?
CppCon 2018: Chandler Carruth “Spectre: Secrets, Side-Channels, Sandboxes, and Security”
CppCon 2017: Kate Gregory “10 Core Guidelines You Need to Start Using Now”
CppCon 2016: Timur Doumler “Want fast C++? Know your hardware!"
Web application security: 10 things developers need to know
Code-It-Yourself! Flappy Bird (Quick and Simple C++)
CppCon 2018: Kate Gregory “Simplicity: Not Just For Beginners”