Secure Coding
Riscure Academy - Online Group TrainingFor C/C++ developers to learn to actively identify security vulnerabilities and implement countermeasures.
Duration
3 courses
4-5 weeks
15 hours self-paced eLearning
4.5 hours Live Mentoring
Certificate
70% or higher on final assessment
Team report (pre vs post assessment)
Interactive
Exercises
Assignments
Quizzes
Live mentoring
Scalable
Self-paced eLearning
Scheduled live mentoring
Spaced for efficiency & effectiveness
Scale to multiple groups
After this program participants will be able to
Challenge assumptions:
Making assumptions is a common but dangerous programming practice. It can lead to incorrectly validated input. You will learn how software programs are executed in the memory, what happens when a device operates out of bounds, and how instantaneous power consumption can be used to extract secret information.
Find vulnerabilities:
A device or application can be compromised when even a single vulnerability is identified by an attacker. The goal of a developer is to remove all vulnerabilities. You will learn how to eliminate the most common logical errors in software, add extra defenses to the critical areas of code, and secure the crypto engines.
Choose and implement defences:
While there are many possible defense mechanisms, each comes at a cost: execution time, required memory, access to hardware components such as RNGs. You will learn how to analyse the cost and effect trade-off, and thus be able to make informed strategic decisions.
Fundamentals of Secure Coding
This program helps developers of embedded systems learn how to eliminate logical errors, harden critical code areas against fault attacks, and protect crypto algorithms against side channel attacks.
What makes this program unique?
Most embedded security training focus on attacks and building setups. But these do not address how to protect your device and application from real-world attackers. In this program, the emphasis is on defensive coding techniques and available countermeasures that developers can apply straight away! We make use of tips, tricks, and best-practices used by Riscure security analysts who review large code bases and have years’ worth of experience performing SCA & FI attacks. This is a unique program with a clear objective: learn to identify vulnerabilities, implement countermeasures, and evaluate their cost, like performance penalties or increased resource demand.
Developers with background in C/C++
Effectively identify vulnerabilities
Implement countermeasures
Evaluate cost of countermeasures
Memory Corruption
- Secure Code Development – what and why?
- Intro to Memory Corruption
- Buffer Overflows: stack, heap, global data segment
- Arbitrary writes
- Off-by-one error
- Understanding root causes and memory corruption culprits
- Implement coding best practices & the secure development life cycle
- Reactive approaches: catching & patching, mitigating, assessing
- Proactive approaches: implementing guidelines
Side Channel Analysis
- Intro to Side Channel Analysis
- Simple Power Analysis (SPA)
• Understanding SPA
• Examples: PIN verification, RSA - Differential Power Analysis (DPA)
• Performing DPA
• Examples: DES and AES encryption - SCA countermeasures: masking and hiding
- SCA in the presence of countermeasures
Fault Injection
- Intro to Fault Injection
- Characterization of faults
- Types of faults: instruction skipping, data corruption
- Evaluating the complexity of FI attacks
- SW Countermeasures: redundancy, control flow checks, values checks
- HW Countermeasures: glitch detectors, shields, redundancy
- The cost vs effect of countermeasures
Lead developer
Name Here
Actionable and indispensable knowledge of security in Embedded Systems and IoT devices. Training on hardware and software security in a classroom setting, online or hosted in your own knowledge program.
What people say
“Very interesting learning approach and material across different aspects of state-of-the-art SoC development with Security in mind. I really want to thank Riscure for offering such good trainings, and the their trainers who make amazing use of their skills, experiences and kindness to easily communicate complex concepts to the audience.”
– Qualcomm
Get Started Today
Don’t let your organization’s embedded systems become an easy target. Invest in the security and success of your business by partnering with Riscure Academy. Contact us today to discuss your training needs and explore our approach. Together, we’ll empower your team to secure your organization’s future.
Frequently asked questions
Do you do individual training?
Individual training is available for self-enrollers within enterprises, but we do not training for individuals outside of organizations. For individuals we recommend Self-Paced or Open training. If you are unsure, please get in touch by filling in the form below.
What is the minimum group size for your expert-led training program?
Are your programs delivered online or as classroom ?
customer's location. Our online programs blend self-paced e-learning, exercises, assessments, and in certain cases expert-sessions (like Q&A webinars or Group Exercises) with Riscure experts.
When can we start with the training/ what do the training schedules look like?
We do not have pre-defined dates for our training sessions. Instead, we aim to accommodate your preferred start time and schedule the spacing of training and relevant sessions accordingly. To ensure a seamless scheduling process, please provide advance notice of 3-4 weeks for our online group programs and 6-8 weeks for classroom programs, as this allows us to secure our trainers' availability. For online training by individuals (self-paced) any enrollment will be facilitated within days or weeks, depending on the level of integration with the customer training platform or HR system. For Open Training schedules, please, contact us by filling in the form below.
Does customer have access to the training materials after the program?
For expert-led group training, including online/hybrid and classroom formats, access to relevant training materials remains available after the training period. The formal training schedule with deadlines is coordinated between Riscure and the customer.