Jun Zhu,Heather Richter Lipford,Bill Chu

DOI: https://doi.org/10.1145/2445196.2445396

2013-01-01

Abstract:Software flaws are a root cause of many of today's information security vulnerabilities. Current curricula emphasis on traditional information security issues does not address this root cause. We propose educating students on secure programming techniques through interactive tool support in the Integrated Development Environment (IDE). We believe this approach can complement other curricula efforts by teaching and providing continuous reinforcement of practices throughout programming tasks. In this paper, we evaluate our prototype tool, ASIDE, which provides instant security warnings, detailed explanations of vulnerabilities, and code generation. We report the results of an observational study on 20 students from an advanced Web programming course. The results provide early evidence that our tool could potentially help students learn about and practice secure programming in the context of their programming assignments.

Jun Zhu,Jing Xie,Heather Richter Lipford,Bill Chu

DOI: https://doi.org/10.1016/j.jare.2013.11.006

IF: 12.822

2014-01-01

Journal of Advanced Research

Abstract:Many security incidents are caused by software developers’ failure to adhere to secure programming practices. Static analysis tools have been used to detect software vulnerabilities. However, their wide usage by developers is limited by the special training required to write rules customized to application-specific logic. Our approach is interactive static analysis, to integrate static analysis into Integrated Development Environment (IDE) and provide in-situ secure programming support to help developers prevent vulnerabilities during code construction. No additional training is required nor are there any assumptions on ways programs are built. Our work is motivated in part by the observation that many vulnerabilities are introduced due to failure to practice secure programming by knowledgeable developers. We implemented a prototype interactive static analysis tool as a plug-in for Java in Eclipse. Our technical evaluation of our prototype detected multiple zero-day vulnerabilities in a large open source project. Our evaluations also suggest that false positives may be limited to a very small class of use cases.

Kamil Malinka,Anton Firc,Pavel Loutocký,Jakub Vostoupal,Andrej Krištofík,František Kasl

DOI: https://doi.org/10.1145/3649217.3653633

2024-04-18

Abstract:To keep up with the growing number of cyber-attacks and associated threats, there is an ever-increasing demand for cybersecurity professionals and new methods and technologies. Training new cybersecurity professionals is a challenging task due to the broad scope of the area. One particular field where there is a shortage of experts is Ethical Hacking. Due to its complexity, it often faces educational constraints. Recognizing these challenges, we propose a solution: integrating a real-world bug bounty programme into cybersecurity curriculum. This innovative approach aims to fill the gap in practical cybersecurity education and also brings additional positive benefits. To evaluate our idea, we include the proposed solution to a secure coding course for IT-oriented faculty. We let students choose to participate in a bug bounty programme as an option for the semester assignment in a secure coding course. We then collected responses from the students to evaluate the outcomes (improved skills, reported vulnerabilities, a better relationship with security, etc.). Evaluation of the assignment showed that students enjoyed solving such real-world problems, could find real vulnerabilities, and that it helped raise their skills and cybersecurity awareness. Participation in real bug bounty programmes also positively affects the security level of the tested products. We also discuss the potential risks of this approach and how to mitigate them.

Cryptography and Security

Qiang Liu,Wentao Zhao,Minghui Wu,Chengzhang Zhu

DOI: https://doi.org/10.1145/3393527.3393528

2020-01-01

Abstract:Web security research and education are attracting much more attentions from industry and academia. In this paper, we report our teaching and learning experiences of a course entitled Web Security and Countermeasures (WebSC) in a multidisciplinary learning context. To achieve the learning outcome of practical skills improvement, we design a rounded teaching contents by jointly considering basic concepts, high-risk threats in OWASP TOP 10-2017 and emerging confrontation tools like PowerShell. Then, we coordinately adopt apprenticeship, interactive, problem-based and collaborative learning methods to improve the performance of all students. Finally, we integrate formative and summative assessment methods to conduct quantitative evaluation on students' learning performance and the instructor's teaching performance. Statistical results demonstrate the effectiveness of our course design and reveal some unforeseen findings that are very valuable for continuous improvement in near future.

Hossain Shahriar,Kai Qian,Atef Shalan,Fan Wu

DOI: https://doi.org/10.1109/COMPSAC48688.2020.0-123

2020-01-01

Abstract:While the number of mobile and web applications is growing exponentially, the mobile and web security threat landscape is growing explosively. Malicious malware may attack vulnerable applications and obtain personal or enterprise confidential data anywhere and anytime. Most vulnerabilities should be addressed and fixed during the early stages of software development. However, many software development professionals lack the awareness of the importance of security vulnerabilities and the necessary knowledge and skills at the software development stage. This paper addresses the needs and challenges of the lack of pedagogical materials and real-world learning environment in ProActive Control for Software Security (PASS) through effective, engaging, and investigative authentic learning approaches.

Michael Whitney,Heather Richter Lipford,Bill Chu,Jun Zhu

DOI: https://doi.org/10.1145/2676723.2677280

2015-01-01

Abstract:Many of the security vulnerabilities common in today's software can be prevented with standard secure coding practices. Computer science students who will become the developers of that software need to learn about those practices so they can prevent such vulnerabilities. Many computing programs are addressing this need through additional lectures, elective courses, or more holistic approaches to integrate security across curriculums. We are exploring a complementary approach, integrating secure coding education into the IDE to provide a learning opportunity in the context of writing code. In this paper, we report on two field studies using an IDE tool in an advanced Web programming course. Our results indicate that the tool can increase students' awareness and knowledge of secure programming, but to be most effective, instructors may need to incentivize its use through in-class methods and careful timing of its introduction.

Christopher Krauss,Agathe Merceron,Truong-Sinh An,Miggi Zwicklbauer,Stephan Steglich,Stefan Arbanowski

DOI: https://doi.org/10.1145/3136907.3136937

2017-10-30

Abstract:The Learning Companion Application was actually designed to fit the needs of master craftsmen in a blended learning Energy Consultant Training at the chamber of crafts. It supports mobile learning particularly through its responsive design and recommendation engine. However, its design follows the recommended practice taught in a university course for master students about Advanced Web Technologies. That is why we introduced the same application for this computer science course to provide students with a contextual and situated learning experience: students learn with the help of a system that implements many concepts they have to learn. Topics, such as HTML5, the development of responsive web applications and recommender systems, are introduced in the lecture and can be experienced as real world examples by the students in the learning app as well. Similar to common learning management systems, our Learning Companion Application offers the lecture materials as digital media assets, such as texts, source code, animations or videos. In addition, the application tracks the interactions of the students in order to give overviews of the learners' knowledge levels on the different learning objects at every time, in order to identify learning weaknesses to improve teaching with the help of a learning analytics module. It can recommend appropriate learning objects which fit the predicted knowledge and the current situation of the learner, e.g. available time for learning. This paper presents taught concepts in the lecture and their implementation in the Learning Companion Application as well as a study of the interaction and learning behavior of the computer science students.

Muhammad Idris,Iwan Syarif,Idris Winarno

DOI: https://doi.org/10.24003/emitter.v10i2.705

2022-12-16

EMITTER International Journal of Engineering Technology

Abstract:The trend of API-based systems in web applications in the last few years keeps steadily growing. API allows web applications to interact with external systems to enable business-to-business or system-to-system integration which leads to multiple application innovations. However, this trend also comes with a different surface of security problems that can harm not only web applications, but also mobile and IoT applications. This research proposed a web application security education platform which is focused on the OWASP API security project. This platform provides different security risks such as excessive data exposure, lack of resources and rate-limiting, mass assignment, and improper asset management which cannot be found in monolithic security learning application like DVWA, WebGoat, and Multillidae II. The development also applies several methodologies such as Capture-The-Flag (CTF) learning model, vulnerability assessment, and container virtualization. Based on our experiment, we are successfully providing 10 API vulnerability challenges to the platform with 3 different levels of severity risk rating which can be exploited using tools like Burp Suite, SQLMap, and JWTCat. In the end, based on our performance experiment, all of the containers on the platform can be deployed in approximately 16 seconds with minimum storage resource and able to serve up to 1000 concurrent users with the average throughput of 50.58 requests per second, 96.35% successful requests, and 15.94s response time.

Tiago Espinha Gasiba,Ulrike Lechner,Maria Pinto-Albuquerque,Anmoal Porwal

DOI: https://doi.org/10.48550/arXiv.2102.10430

2021-02-20

Software Engineering

Abstract:Over the last years, the number of cyber-attacks on industrial control systems has been steadily increasing. Among several factors, proper software development plays a vital role in keeping these systems secure. To achieve secure software, developers need to be aware of secure coding guidelines and secure coding best practices. This work presents a platform geared towards software developers in the industry that aims to increase awareness of secure software development. The authors also introduce an interactive game component, a virtual coach, which implements a simple artificial intelligence engine based on the laddering technique for interviews. Through a survey, a preliminary evaluation of the implemented artifact with real-world players (from academia and industry) shows a positive acceptance of the developed platform. Furthermore, the players agree that the platform is adequate for training their secure coding skills. The impact of our work is to introduce a new automatic challenge evaluation method together with a virtual coach to improve existing cybersecurity awareness training programs. These training workshops can be easily held remotely or off-line.

Mst Shapna Akter,Juanjose Rodriguez-Cardenas,Hossain Shahriar,Akond Rahman,Fan Wu

DOI: https://doi.org/10.48550/arXiv.2311.16944

2023-08-14

Cryptography and Security

Abstract:The field of DevOps security education necessitates innovative approaches to effectively address the ever-evolving challenges of cybersecurity. In adopting a student-centered ap-proach, there is the need for the design and development of a comprehensive set of hands-on learning modules. In this paper, we introduce hands-on learning modules that enable learners to be familiar with identifying known security weaknesses, based on taint tracking to accurately pinpoint vulnerable code. To cultivate an engaging and motivating learning environment, our hands-on approach includes a pre-lab, hands-on and post lab sections. They all provide introduction to specific DevOps topics and software security problems at hand, followed by practicing with real world code examples having security issues to detect them using tools. The initial evaluation results from a number of courses across multiple schools show that the hands-on modules are enhancing the interests among students on software security and cybersecurity, while preparing them to address DevOps security vulnerabilities.

Ibrahim Alshehri,Adnan Alshehri,Abdulrahman Almalki,Majed Bamardouf,Alaqsa Akbar

2024-09-01

Abstract:The increasing complexity and scale of modern digital environments have exposed significant gaps in traditional cybersecurity penetration testing methods, which are often time-consuming, labor-intensive, and unable to rapidly adapt to emerging threats. There is a critical need for an automated solution that can efficiently identify and exploit vulnerabilities across diverse systems without extensive human intervention. BreachSeek addresses this challenge by providing an AI-driven multi-agent software platform that leverages Large Language Models (LLMs) integrated through LangChain and LangGraph in Python. This system enables autonomous agents to conduct thorough penetration testing by identifying vulnerabilities, simulating a variety of cyberattacks, executing exploits, and generating comprehensive security reports. In preliminary evaluations, BreachSeek successfully exploited vulnerabilities in exploitable machines within local networks, demonstrating its practical effectiveness. Future developments aim to expand its capabilities, positioning it as an indispensable tool for cybersecurity professionals.

Cryptography and Security,Artificial Intelligence

Neville Palmer

DOI: https://doi.org/10.1109/iccece46942.2019.8941804

2019-08-01

Abstract:Security is an essential aspect of the subject of computer networking in which students must understand the concepts and be confident in configuring security mechanisms on a range of network devices and systems as part of a Defence in Depth approach to IT security. Challenges are faced in assessing practical security exercises in a laboratory environment involving multivariate devices and operating systems that involve real equipment or simulation and real or virtualized environments. The working environment for a practical exercise must be pre-configured and once an exercise is completed the results extracted to enable formative or summative assessment of the outcomes of the exercise. Using manual methods this process can be time consuming and it would therefore be beneficial to implement some form of automation. To facilitate this a new application has been developed that automates the configuration management and assessment processes within a computer networking laboratory. The new application has been successfully used to assess the extent to which students have been able to configure a secure network utilizing a Defence in Depth approach within a case-study based exercise. The development challenges of the application and rationale for the implementation of the prototype application are discussed. A test methodology is presented and the results of applying this to the outcomes of a network security exercise are analysed. This demonstrates that the prototype application is able to assess the configuration of network security, in the context of defined parameters, to a high degree of accuracy. Further work might look at using the system to assess the security of business and industrial network in contrast to educational usage.

Jan Vykopal,Pavel Čeleda,Pavel Seda,Valdemar Švábenský,Daniel Tovarňák

DOI: https://doi.org/10.48550/arXiv.2110.10004

2021-10-19

Computers and Society

Abstract:This Innovative Practice full paper describes a technical innovation for scalable teaching of cybersecurity hands-on classes using interactive learning environments. Hands-on experience significantly improves the practical skills of learners. However, the preparation and delivery of hands-on classes usually do not scale. Teaching even small groups of students requires a substantial effort to prepare the class environment and practical assignments. Further issues are associated with teaching large classes, providing feedback, and analyzing learning gains. We present our research effort and practical experience in designing and using learning environments that scale up hands-on cybersecurity classes. The environments support virtual networks with full-fledged operating systems and devices that emulate real-world systems. (...) Using the presented environments KYPO Cyber Range Platform and Cyber Sandbox Creator, we delivered the classes on-site or remotely for various target groups of learners (K-12, university students, and professional learners). The learners value the realistic nature of the environments that enable exercising theoretical concepts and tools. The instructors value time-efficiency when preparing and deploying the hands-on activities. Engineering and computing educators can freely use our software, which we have released under an open-source license. We also provide detailed documentation and exemplary hands-on training to help other educators adopt our teaching innovations and enable sharing of reusable components within the community.

Jungwon Lim,Yonghwi Jin,Mansour Alharthi,Xiaokuan Zhang,Jinho Jung,Rajat Gupta,Kuilin Li,Daehee Jang,Taesoo Kim

DOI: https://doi.org/10.48550/arXiv.2112.15561

2022-01-01

Abstract:Web browsers are integral parts of everyone's daily life. They are commonly used for security-critical and privacy sensitive tasks, like banking transactions and checking medical records. Unfortunately, modern web browsers are too complex to be bug free (e.g., 25 million lines of code in Chrome), and their role as an interface to the cyberspace makes them an attractive target for attacks. Accordingly, web browsers naturally become an arena for demonstrating advanced exploitation techniques by attackers and state-of-the-art defenses by browser vendors. Web browsers, arguably, are the most exciting place to learn the latest security issues and techniques, but remain as a black art to most security researchers because of their fast-changing characteristics and complex code bases. To bridge this gap, this paper attempts to systematize the security landscape of modern web browsers by studying the popular classes of security bugs, their exploitation techniques, and deployed defenses. More specifically, we first introduce a unified architecture that faithfully represents the security design of four major web browsers. Second, we share insights from a 10-year longitudinal study on browser bugs. Third, we present a timeline and context of mitigation schemes and their effectiveness. Fourth, we share our lessons from a full-chain exploit used in 2020 Pwn2Own competition. and the implication of bug bounty programs to web browser security. We believe that the key takeaways from this systematization can shed light on how to advance the status quo of modern web browsers, and, importantly, how to create secure yet complex software in the future.

Cryptography and Security

Patrick Stöckle,Michael Sammereier,Bernd Grobauer,Alexander Pretschner

DOI: https://doi.org/10.1109/AST58925.2023.00013

2023-03-10

Abstract:Insecure default values in software settings can be exploited by attackers to compromise the system that runs the software. As a countermeasure, there exist security-configuration guides specifying in detail which values are secure. However, most administrators still refrain from hardening existing systems because the system functionality is feared to deteriorate if secure settings are applied. To foster the application of security-configuration guides, it is necessary to identify those rules that would restrict the functionality. This article presents our approach to use combinatorial testing to find problematic combinations of rules and machine learning techniques to identify the problematic rules within these combinations. The administrators can then apply only the unproblematic rules and, therefore, increase the system's security without the risk of disrupting its functionality. To demonstrate the usefulness of our approach, we applied it to real-world problems drawn from discussions with administrators at Siemens and found the problematic rules in these cases. We hope that this approach and its open-source implementation motivate more administrators to harden their systems and, thus, increase their systems' general security.

Software Engineering

Rémi Garcia,Paolo Modesti

DOI: https://doi.org/10.3390/electronics13234660

2024-11-27

Abstract:To develop trustworthy distributed systems, verification techniques and formal methods, including lightweight and practical approaches, have been employed to certify the design or implementation of security protocols. Lightweight formal methods offer a more accessible alternative to traditional fully formalised techniques by focusing on simplified models and tool support, making them more applicable in practical settings. The technical advantages of formal verification over manual testing are increasingly recognised in the cybersecurity community. However, for practitioners, formal modelling and verification are often too complex and unfamiliar to be used routinely. In this paper, we present an Eclipse IDE for the design, verification, and implementation of security protocols and evaluate its effectiveness, including feedback from users in educational settings. It offers user-friendly assistance in the formalisation process as part of a Model-Driven Development approach. This IDE centres around the Alice & Bob (AnB) notation, the AnBx Compiler and Code Generator, the OFMC model checker, and the ProVerif cryptographic protocol verifier. For the evaluation, we identify the six most prominent limiting factors for formal method adoption, based on relevant literature in this field, and we consider the IDE's effectiveness against those criteria. Additionally, we conducted a structured survey to collect feedback from university students who have used the toolkit for their projects. The findings demonstrate that this contribution is valuable as a workflow aid and helps users grasp essential cybersecurity concepts, even for those with limited knowledge of formal methods or cryptography. Crucially, users reported that the IDE has been an important component to complete their projects and that they would use again in the future, given the opportunity.

Cryptography and Security,Software Engineering

Kanika Sharma,Naresh Kumar

DOI: https://doi.org/10.1109/iccccm.2013.6648920

2013-08-01

Abstract:Web applications are increasingly used to provide e-services such as online banking, online shopping, and social networking over the internet. With this advancement, the attacks over the web applications have also increased. According to Cenzic 2013 report 99% of web applications are vulnerable tested in 2012 [1]. The root causes behind these vulnerabilities are lack of security awareness, design flaws & implementation bugs. Writing secure code for web application is a complex task as developer emphasis more on implementation of business logic for web application rather than implementing it with secure logic. These vulnerabilities might be exploited by malicious users which can harm the database & reputation of an organization. In this paper we have proposed an Application Intrusion Detection System tool which can detect & prevent web application attacks at the time of occurrence. We have implemented proposed approach with ASP.NET web application and also perform Chi Square test to validate our assumptions. Once completed SWART has future potential to detect and prevent maximum attacks with less complexity.

Sean Loesch,Ryan Hrastich,Jordan Herbert,Ben Drangstveit,Jacob Weber,Mounika Vanamala

DOI: https://doi.org/10.48550/arXiv.2311.16131

2023-11-01

Cryptography and Security

Abstract:In modernity, we continually receive increasingly intricate technologies that allow us to increase our lives convenience and efficiency. Our technology, particularly technology available over the internet, is advancing at unprecedented speed. However, this speed of advancement allows those behind malicious attacks to have an increasingly easier time taking advantage of those who know little about computer security. Unfortunately, education in the computer security field is generally limited only to tertiary education. This research addresses this problem through a gamified web-based application that drives users to reach learning goals to help them become more vigilant internet users: 1. Learn and memorize general computer security terminology, 2. Become familiar with basic cryptography concepts, 3. Learn to recognize potential phishing scams via email quickly, and 4. Learn common attacks on servers and how to deal with them.

Andreas Eipper,Daniela Pöhn

DOI: https://doi.org/10.5220/0011667300003405

2024-07-23

Abstract:Cyber attacks are ubiquitous and a constantly growing threat in the age of digitization. In order to protect important data, developers and system administrators must be trained and made aware of possible threats. Practical training can be used for students alike to introduce them to the topic. A constant threat to websites that require user authentication is so-called brute-force attacks, which attempt to crack a password by systematically trying every possible combination. As this is a typical threat, but comparably easy to detect, it is ideal for beginners. Therefore, three open-source blue team scenarios are designed and systematically described. They are contiguous to maximize the learning effect.

Cryptography and Security

Valdemar Švábenský,Jan Vykopal

DOI: https://doi.org/10.48550/arXiv.1903.04174

2019-03-11

Computers and Society

Abstract:This Work-In-Progress Paper for the Innovative Practice Category presents a novel experiment in active learning of cybersecurity. We introduced a new workshop on hacking for an existing science-popularizing program at our university. The workshop participants, 28 teenagers, played a cybersecurity game designed for training undergraduates and professionals in penetration testing. Unlike in learning environments that are simplified for young learners, the game features a realistic virtual network infrastructure. This allows exploring security tools in an authentic scenario, which is complemented by a background story. Our research aim is to examine how young players approach using cybersecurity tools by interacting with the professional game. A preliminary analysis of the game session showed several challenges that the workshop participants faced. Nevertheless, they reported learning about security tools and exploits, and 61% of them reported wanting to learn more about cybersecurity after the workshop. Our results support the notion that young learners should be allowed more hands-on experience with security topics, both in formal education and informal extracurricular events.