Where on internet can we learn Secure Programming in c/c++ [closed]

It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center. Closed 12 years ago.

I am starting to learn everything about security and secure programming.

I have always heard about things like buffer overflow vulnerability.

But I don't know yet how such vulnerabilities are exploited. And how can we program securely enough to make sure that our code is robust.

When I say all this, my programming langu开发者_如何转开发ages of interest are c and c++.

1. I am looking for free tutorials, and resources on internet where I can learn every ins-n-out of secure programming.

2. Platform specific tips are also welcome. For example, I know that in Windows programming we can use functions like "memmove_s" to have secure code. But what are the equivalents in Linux/Unix? Or is it the same there?

3. Should a c/c++ programmer worry about specially crafted formatted stings (like the very popular old PHP formatted strings vulverability)?

A lot of questions here, but general idea is that I mean to learn Secure Programming.

Thanks for every bit of help.

---

Check out CERT C Secure Coding Standard & CERT C++ Secure Coding Standard.

---

I'll throw a couple out there and make this community wiki:

1. Never, ever, ever use gets.

2. Don't assume a string is null terminated unless you really really know that it is.

3. Never just declare a large fixed-size buffer and just assume it'll be "big enough" for what you are doing.

---

1. Assertions, assertions, assertions. If there's even the theoretical possibility that something might not be correct, go ahead and assert that it is. If something is not quite how you expected it, you want your program to die immediately and spectacularly. Make sure your assertions will not be optimized away.

2. Be very careful with buffers. There are some functions (e.g. gets) that write into a buffer without knowing how big it is. Do not use these functions. Always check your buffer sizes right where you need them rather than relying on precomputed values.

3. Always check return codes. If you cannot do anything meaningful on an error (e.g. malloc), then assert success, or better, write a wrapper function that asserts success so that it cannot possibly return an error value and never use the original. To be extra-paranoid, have your compiler emit a warning if you implicitly ignore a return value.

4. Treat any data entering the program as a possible malicious attack, because it is. This includes configuration files as well as user input.

5. "Premature optimization is the root of all evil". First make it right. Don't even think about making it faster unless a) you absolutely have to and b) you have profiled the code and know precisely what your bottlenecks are.

6. Have someone else check your code.

These are only a handful of starting points. Writing secure code is hard.

---

Secure programming encompasses practices that reduce the chance of misuse by code maintainers themselves.

Here's my two cents -- Avoid using pointers where you can. In my opinion, a pointer should be used only when a NULL value has a special meaning. This principle carries over to several coding idioms

• Use STL vectors instead of arrays
• Use pass-by-reference/pass-by-value when passing basic types to a function
• Use pass-by-const-reference when passing user-defined types to a function. This is as efficient as passing a pointer.

The bottomline is, if there's pointers involved, there's a good chance it will be misused by someone who will eventually inherit the code.