Performance and Efficiency in C++ for Experts, Future Experts, and Everyone Else is a two-day onsite training course with programming exercises, taught by Fedor Pikus. It is offered at the Gaylord Rockies from 09:00 to 17:00 Aurora time (MDT) on Saturday and Sunday, September 12th and 13th, 2026 (immediately prior to the conference). Lunch is included.
◈ Register Here ◈ See Other Offerings ◈
Course Description
C++ powers infrastructure, financial systems, robotics, game engines, and safety-critical software. Its performance and control come with risk: small engineering mistakes can become catastrophic security failures.
This intensive two-day, hands-on training teaches professional C++ developers how to build resilient systems that remain secure under real-world pressure.
Participants will analyze insecure native code, exploit failure paths, and implement safer modern C++ patterns. Through guided code reviews, bug-fixing exercises, live threat modeling, and fuzz testing, attendees will learn how C++ systems are actually compromised and how to prevent those failures in their own software.
Topics include memory safety, dangerous language features, modern safer C++ patterns, parsing untrusted data, injection risks, authentication and authorization design, secret management, encryption, least-privilege architecture, supply chain risk, logging for detection, and incident readiness.
Attendees will collaborate on a live threat model, fuzz real code to uncover hidden defects, and practice making architectural decisions that reduce attack surface without sacrificing performance.
This is not a checklist-driven security course or a catalog of theoretical vulnerabilities. It is a deeply practical engineering workshop for developers who want to build software that survives contact with attackers.
Participants leave with repeatable secure coding techniques, safer design habits, and a mental model for making high-quality security decisions throughout the lifecycle of modern C++ systems.
No prior security experience is required.
Note: All labs are designed to run locally without requiring conference WiFi.
What Past Attendees Say
Tanya’s training went well beyond filling secure coding knowledge gaps… Now our developers proactively find problems, ask great questions, and collaborate more effectively with our cybersecurity team.” – Developer Manager
“The ‘Bad, Better, Best’ technique made code reviews more focused and showed the difference between just fixing a problem and fixing it well. The sessions are engaging and grounded in real-world context.” – Engineering Manager
This material is drawn from real-world security programs, incidents, and professional training delivered to engineering teams worldwide.
Prerequisites
Participants will get the most value from this workshop if they meet the following requirements:
- Technical Experience
- Comfortable reading and writing C++
- Familiar with core language concepts such as pointers, memory management, and object lifetimes
- Prior professional or academic development experience recommended
- Laptop Requirements Participants must bring a laptop capable of running development tools locally. Please install the following before arrival:
- Visual Studio Code (or another preferred C++ IDE)
- A working C++ development environment capable of compiling modern C++ (C++17 or newer)
- Git for cloning workshop materials
- Ability to install open-source tools without administrative restrictions.
- Reliable Wi-Fi capability
- Note all code will be available in advance and via USB key on site, wifi is a last resort.
- Recommended (Not Required)
- Familiarity with command-line workflows
- Basic understanding of software architecture concepts
- Experience debugging C++ applications
- Participants should verify their environment by successfully compiling a simple “Hello, World” program before arrival.
Course Topics
This workshop combines lecture, guided labs, architecture exercises, threat modeling, fuzz testing, and structured code reviews.
- Day 1 — How C++ Systems Get Compromised
- Understanding the Native Threat Landscape
- Examine how attackers target native applications and where modern C++ systems typically fail. Learn to recognize expanding attack surfaces and identify high-risk design decisions early.
- Live Threat Modeling Exercise
- Participants collaborate to build a threat model for a realistic native system, identify trust boundaries, and prioritize meaningful mitigations.
- Memory Safety Deep Dive
- Explore memory layout, lifetime risks, ownership mistakes, and undefined behavior as security concerns. Learn practical strategies for preventing use-after-free, buffer overflows, and related defects.
- Hands-On Code Review and Bug Fixing
- Analyze vulnerable C++ code and refactor it using safer patterns.
- Dangerous Language Features and Safer Alternatives
- Identify high-risk constructs such as raw pointers, unsafe casts, and integer misuse, then replace them with modern C++ approaches that reduce exploitability while preserving performance.
- Guided Refactoring Exercise
- Designing Safe Boundaries for Untrusted Data
- Understand how parsing, serialization, file handling, and database interactions introduce risk. Learn defensive validation strategies, normalization techniques, and patterns that separate parsing from execution.
- Secure Coding Lab:
- Harden vulnerable data-handling code and eliminate injection paths.
- Establishing Trust in Native Systems
- Design authentication and authorization workflows appropriate for native software. Implement secure session handling, protect credentials, and manage secrets responsibly. Apply encryption to protect data in transit and at rest.
- Code Review Exercise:
- Identify trust failures and implement stronger designs.
- Understanding the Native Threat Landscape
- Day 2 — Designing Systems That Survive Attack
- Secure Architecture for Native Applications
- Reduce attack surface through isolation, least-privilege design, and deliberate trust boundaries. Learn architectural strategies that prevent vulnerabilities from becoming system-wide compromises.
- Architecture Exercise:
- Improve the security posture of a sample system.
- Securing the Software Supply Chain
- Evaluate third-party components, dependencies, and update mechanisms. Learn how SBOM practices, component review, and patch readiness reduce organizational risk.
- Risk Analysis Exercise
- Fuzzing as an Engineering
- Practice Understand why fuzz testing uncovers defects traditional tests miss and how to integrate fuzzing into modern development workflows.
- Hands-On Fuzzing Lab:
- Execute a prepared fuzz target, observe failures, and trace root causes.
- Designing for Detection:
- Logging, Telemetry, and Incident Readiness Build systems that generate actionable security signals. Learn what to log, how to structure telemetry, and how developers contribute to effective incident response.
- Incident Simulation:
- Investigate a realistic scenario using available logs.
- Using AI Safely in C++ Development
- Examine the risks associated with AI-generated code, including insecure patterns, dependency hallucination, and provenance concerns. Learn verification techniques that allow teams to benefit from AI while maintaining engineering rigor.
- Code Review Exercise:
- Evaluate AI-generated code for security weaknesses.
- Common Failure Patterns in Production C++ Systems
- Review recurring vulnerability patterns observed in real-world C++ systems and learn engineering heuristics that help prevent them.
- Workshop Wrap-Up
- Consolidate key lessons and translate them into repeatable engineering practices that improve resilience across the software lifecycle. Resources of where to learn more.
- Secure Architecture for Native Applications
Course Instructor
Tanya Janca aka SheHacksPurple, is the best-selling author of ‘Alice and Bob Learn Secure Coding’ and ‘Alice and Bob Learn Application Security’. She is currently the CEO and secure coding trainer at She Hacks Purple Consulting. Over her 28-year IT career she has won countless awards (including OWASP Lifetime Distinguished Member and Hacker of the Year), spoken all over the planet, and is a prolific blogger.
Tanya has trained thousands of software developers and IT security professionals, via her online academies (We Hack Purple and Semgrep Academy), and her live training programs. Having performed counter-terrorism, led security for the 42nd Canadian general election, developed or secured countless applications, Tanya Janca is widely considered an international authority on the security of software.