Secure C++: Is It Really That Bad?

Sergey will analyze the recent NSA report and tell if the security situation in C++ is really that bad, and what the modern industry offers to solve this issue.

He will break down security issues in C++ using open source examples from Chromium, among them:

• Memory handling.
• UB.
• C legacy, strings, arithmetic, type conversions.

The speaker will also show different approaches to mitigating the problems described, in particular:

• Static analysis.
• Dynamic analysis.
• Fuzzing testing.
• Hardening.
• Identification of safe language subsets: Misra, AUTOSAR, Google standard.
• SDL methodology as a comprehensive solution.
• (Bonus) KasperskyOS approach for detecting untrusted components that may contain vulnerabilities, but are not vulnerable to exploitation and attack.