Proper use and training are the keys to mastering secure C++, says Infosec Skills author Martin Dubois
“When I first started coding for a start-up, security wasn’t interesting to me. But as we began connecting with the rest of the world, it became clear that we had created things people wanted to steal. And if we wanted to protect them, we needed to become really good at securing our code.”
Martin Dubois began his college career at Laval University in Québec city with the intention of teaching programming. After earning his degree, Martin realized that he first needed to have real-world experience if he was going to teach. Martin worked for start-ups in the late ’90s to hone his craft. It was here that he faced his first challenges with security in networking and programming.
“When we started, we simply didn’t think about security. We were alone in the world, and no one could connect to what we were doing,” said Martin. He quickly learned the importance of security as the software and network world evolved.
In 2001, Martin founded his own freelancing company, Kernel Mode Software, which specializes in creating secure device drivers using C and C++ for Windows and Linux. In addition to running his company, Martin also teaches programming, computer science, and network security at various universities and colleges.
The full potential of C++
Martin’s Infosec Skills course teaches students how to securely code in C++. The language is basic but widely applicable. Martin shares the importance of understanding the language entirely to benefit from its full potential in as secure a manner as possible.
“I encourage my students to really understand how it works. And not only the language itself but also how the computer operates underneath the language,” said Martin.
C++ is often used in application development due to its extensive resource ability. With C++, the developer can make the best use of their resources without taking up too much space. C++ is also excellent for rendering beautiful 3D games. Its ability to optimize resource usage allows for a very efficient product. Martin shares that he uses C++ as the base layer of software when programming operating systems.
Martin notes that many students jump into C++ development for a specific application without a real end-to-end understanding of the language’s nuances. C++ has a more expansive range that allows one to write outside of the buffer, which often leads to security vulnerabilities.
“One of the more common security errors with C++ that people aren’t aware of is the buffer overflow,” said Martin. “Other languages, like Java, don’t allow as many liberties, and this is exactly why I teach what I do. I like to focus on security concerns during development courses because I have seen the problems that students have with it.”
Martin’s biggest takeaway as an educator is how much his students teach him about contemporary web development. “Students come to me with problems with database development or database setup. It’s a good way for me to stay up-to-date in modern computer science,” said Martin.
Along with his learning path, Martin offers an interactive web server for students learning C and C++. Using this server allows developers to see their code working in real time on a webpage.
“I intentionally made security errors in the project to guide the student to find the problem and fix it themselves,” said Martin. He believes that the best way to learn security is by throwing yourself into the code, finding its weak spots, and correcting the mistakes.
For Martin, considering security before rushing into development is the key to programming in C++, or in fact any language for that matter. “You have to take care of what you create, regardless of the code. Each time you create you have to think ‘how secure is this code?’ and ‘how will people try to attack it?”
About Martin Dubois
Martin Dubois is a freelance software developer who helps clients develop safe, functional and efficient systems. In addition to developing in C and C++, he provides expert corporate training about device driver development and other related subjects. He is also a part-time lecturer at colleges and universities, where he teaches computer science, programming and network security.