Introduction to Secure Coding

Welcome    Why?    Training    Games    ChangeBlog    External Resources    Submit Content


Creators:    Andrew Buttner

                    Larry Shields

License:    Creative Commons: Attribution, Share-Alike


Class Prerequisites: Participants must have working knowledge and experience writing code and developing applications. A specific programming language is not required as the concepts that will be discussed are language independent.

Lab Requirements: Lab materials for the Introduction to Secure Coding course, including the demonstration web application and attack tools, have not been made available at this time. These will hopefully be released in the near future. Until that time, verbal discussion based on the place-holder slides will have to suffice.

Related Reading: "Writing Secure Code: Second Edition" by David LeBlanc and Michael Howard

Recommended Class Duration: 1 day

Creators Available to Teach In-Person Classes: Yes

Author Comments:

The purpose of this course is to provide developers with a short, focused primer related to secure coding.  The hope is that each developer will leave the course with a better understanding of how they can improve, from a security perspective, the code that they write.  This course provides a look at some of the most prevalent security related coding mistakes made in industry today.  Each type of issue is explained in depth including how a malicious user may attack the code, and strategies for avoiding the issues are then reviewed.  Knowledge of at least one programming language is required, although the specific programming language is not important as the concepts that will be discussed are language independent.  The course will cover many of the weaknesses within the context of a web application, but most of the concepts will apply to all application development.

Course Objectives

    * reinforce the importance of secure coding

    * identify the most common code level weaknesses within code

    * provide an overview of each weakness type including examples within code

    * weaknesses include cross-site scripting, SQL injection & bypassing authorization

    * demonstrate how malicious users will exploit these weaknesses

    * discuss techniques to avoid each weakness

    * provide an overview of internal and external resources available to developers

This class will serve as a prerequisite for the Secure Code Review class.

Author Biography:

Andrew Buttner - Leads a software assurance group at MITRE specializing in secure code review. He has worked on improving application security for both MITRE and its customers since joining the organization in 2001. An expert in the field of source code weaknesses, Andrew is also involved in a number of research efforts related to secure software development and the level of confidence in resulting code.

Larry Shields - Larry Shields is Chief of Information Security Services at MITRE. During his time at MITRE, Larry has been involved in software review & testing for many custom, open source, and vendor products. Prior to joining MITRE, Larry spent many years running code reviews, conducting penetration testing, and teaching application security courses for Fidelity Investments. He is a Certified Information Systems Security Professional (CISSP), and has been a contributor to the Open Web Application Security Project (OWASP).

Class Materials

All Slides (159 slides)

Revision History:

1-7-2015 - Initial class content upload

If you have used and modified this material, we would appreciate it if you submit your modified version for publishing here, so that all versions can benefit from your changes.