MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY1. Adversarial Scenarios 2. Vulnerability Trends 3. Exploits in the Wild 4. Strategies for Secure C++ DevelopmentWHOAMI 0x401006 Microsoft 0x40E04C Twitter # @malwareunicorn COMMUNITY 0x402023 JNE SIDE ACTIVITIESDay in the Life: Vulnerability Research ● Looking at code 75% ● Instrumenting fuzzing harnesses 5% ● Making POC when needed group CVE-2021-28310 CVE-2021-1732 • Used for privilege escalation • Out-of-bounds (OOB) write vulnerability in dwmcore.dll, which is part of Desktop Window Manager (dwm.exe) • Attacker grooms the heap

talks on these topics tooProblem 6: Security vulnerabilities in open-source code Solution 6: Vulnerability monitoring, prevention, and response •Review public CVE databases (e.g. GitHub Advisory Database) against known open- source codeProblem 6: Security vulnerabilities in open-source code Solution 6: Vulnerability monitoring, prevention, and response •Make it trivial to update packages so you can respond quickly time / effort 5. Create an asset cache for sources needed to build dependencies 6. Develop a vulnerability monitoring, prevention, and response strategy and associated tools / workflows 7. Centralize

DesignMax Hoffmann Security Beyond Memory Safety CppCon 2024 28 Secure Coding Attacker Model Vulnerability Management Security RequirementsMax Hoffmann Security Beyond Memory Safety CppCon 2024 29 My StatisticsMax Hoffmann Security Beyond Memory Safety CppCon 2024 66 Time of Check vs Time Use of Vulnerability (TOCTOU)Max Hoffmann Security Beyond Memory Safety CppCon 2024 67Max Hoffmann Security Beyond

value; vector vec = { 0, 1, /* ... */ }; vec[index] = value; }Vulnerability - Injection "An injection flaw is a vulnerability which allows an attacker to relay malicious code through an application

ied/tested o Even the compiler needs to be verified! • Software Bill of Materials (SBOM) o Vulnerability management o Compliance and reporting o Supply chain transparency • Cybersecurity Bill of Materials

Thread Top Down Integration Unit Upgrade Usability User Acceptance User Interface Volume Vulnerability White box WorkflowWhat is a test? 16 Integration System UnitWhat is a test? 17 Integration

vs. register addition) ▪ Parallel loads (2 or 3 per cycle) ▪ Downfall: Gather Data Sampling vulnerability CVE-2022-40982Possible Extension: globally overloadable operator[] Not a new idea, mentioned

memory snapshots in Visual Studio, to pinpoint the failure. Want to unleash the memory vulnerability beast? Put your test units on steroids, by spinning fuzzing jobs with ASan in Azure, leveraging

dependency. #11363 • Feature: Removed Python 2.7 support, as a result of an unsolvable security vulnerability in pyjwt. #11357 . Docs here 842 Chapter 23. Changelog Conan Documentation, Release 1.56.0 in save_sh function. #11123 • Bugfix: Force conan_server to use pyjwt>=2.4.0 to solve a known vulnerability. #11350 • Bugfix: Fix case where CMakeDeps generator may use the wrong dependency name for transitive

dependency. #11363 • Feature: Removed Python 2.7 support, as a result of an unsolvable security vulnerability in pyjwt. #11357 . Docs here • Feature: The conanfile.txt file now accepts a [layout] that can in save_sh function. #11123 • Bugfix: Force conan_server to use pyjwt>=2.4.0 to solve a known vulnerability. #11350 • Bugfix: Fix case where CMakeDeps generator may use the wrong dependency name for transitive