Jun Zhu,Heather Richter Lipford,Bill Chu

DOI: https://doi.org/10.1145/2445196.2445396

2013-01-01

Abstract:Software flaws are a root cause of many of today's information security vulnerabilities. Current curricula emphasis on traditional information security issues does not address this root cause. We propose educating students on secure programming techniques through interactive tool support in the Integrated Development Environment (IDE). We believe this approach can complement other curricula efforts by teaching and providing continuous reinforcement of practices throughout programming tasks. In this paper, we evaluate our prototype tool, ASIDE, which provides instant security warnings, detailed explanations of vulnerabilities, and code generation. We report the results of an observational study on 20 students from an advanced Web programming course. The results provide early evidence that our tool could potentially help students learn about and practice secure programming in the context of their programming assignments.

Jun Zhu,Jing Xie,Heather Richter Lipford,Bill Chu

DOI: https://doi.org/10.1016/j.jare.2013.11.006

IF: 12.822

2014-01-01

Journal of Advanced Research

Abstract:Many security incidents are caused by software developers’ failure to adhere to secure programming practices. Static analysis tools have been used to detect software vulnerabilities. However, their wide usage by developers is limited by the special training required to write rules customized to application-specific logic. Our approach is interactive static analysis, to integrate static analysis into Integrated Development Environment (IDE) and provide in-situ secure programming support to help developers prevent vulnerabilities during code construction. No additional training is required nor are there any assumptions on ways programs are built. Our work is motivated in part by the observation that many vulnerabilities are introduced due to failure to practice secure programming by knowledgeable developers. We implemented a prototype interactive static analysis tool as a plug-in for Java in Eclipse. Our technical evaluation of our prototype detected multiple zero-day vulnerabilities in a large open source project. Our evaluations also suggest that false positives may be limited to a very small class of use cases.

Lwin Khin Shar,Christopher M. Poskitt,Kyong Jin Shim,Li Ying Leonard Wong

DOI: https://doi.org/10.48550/arXiv.2204.12416

2022-04-26

Cryptography and Security

Abstract:Cybersecurity education is considered an important part of undergraduate computing curricula, but many institutions teach it only in dedicated courses or tracks. This optionality risks students graduating with limited exposure to secure coding practices that are expected in industry. An alternative approach is to integrate cybersecurity concepts across non-security courses, so as to expose students to the interplay between security and other sub-areas of computing. In this paper, we report on our experience of applying the security integration approach to an undergraduate web programming course. In particular, we added a practical introduction to secure coding, which highlighted the OWASP Top 10 vulnerabilities by example, and demonstrated how to identify them using out-of-the-box security scanner tools (e.g. ZAP). Furthermore, we incentivised students to utilise these tools in their own course projects by offering bonus marks. To assess the impact of this intervention, we scanned students' project code over the last three years, finding a reduction in the number of vulnerabilities. Finally, in focus groups and a survey, students shared that our intervention helped to raise awareness, but they also highlighted the importance of grading incentives and the need to teach security content earlier.

Brandon Earwood,Jeong Yang,Young Rae Kim

DOI: https://doi.org/10.1109/tale52509.2021.9678713

2021-12-05

Abstract:As security is a crucial aspect in the process of developing software systems, software engineers must have a strong understanding of security concepts for an application being developed and tested. There has been a growing demand for these skills to be taught on all knowledge levels in computing courses. This paper builds on a study related to a series of security modules designed to meet that demand for teaching security concepts to students in computer science courses. Six small lessons in three security modules are implemented into a CS2 course, and the outcomes of this implementation are assessed. Each concept in the modules is broken up into a general description of the security problem, sample code written in Java, and sample code of the solution. Along with the security modules, an open-ended, problem-solving Model-Eliciting Activity (MEA) was developed as a project for students to demonstrate an understanding of the security concepts. Experimental studies were conducted to investigate the teaching effectiveness of implementing cyber security modules with the MEA project and students' experiences in conceptual modeling tasks in problem solving. After implementing the security modules with the MEA, students showed a good understanding of cyber security concepts, and the instructor's beliefs about teaching shifted from teacher-centered to student-centered. 41.7% of the developed solutions from the MEA groups showed a sufficient degree of creativity, and 58.3% of the solutions seemed suitable for real-world implementation. The initial activities leading to student developed solutions effectively prepared students within the scope of the course, but additional discussion and resources may be necessary to expand on creativity and practicality.

Tiago Espinha Gasiba,Ulrike Lechner,Maria Pinto-Albuquerque,Daniel Mendez

DOI: https://doi.org/10.1109/icse-seet52601.2021.00034

2021-05-01

Abstract:The Department of Homeland Security in the United States estimates that 90% of software vulnerabilities can be traced back to defects in design and software coding. The financial impact of these vulnerabilities has been shown to exceed 380 million USD in industrial control systems alone. Since software developers write software, they also introduce these vulnerabilities into the source code. However, secure coding guidelines exist to prevent software developers from writing vulnerable code. This study focuses on the human factor, the software developer, and secure coding, in particular secure coding guidelines. We want to understand the software developers' awareness and compliance to secure coding guidelines and why, if at all, they aren't compliant or aware. We base our results on a large-scale survey on secure coding guidelines, with more than 190 industrial software developers. Our work's main contribution motivates the need to educate industrial software developers on secure coding guidelines, and it gives a list of fifteen actionable items to be used by practitioners in the industry. We also make our raw data openly available for further research.

Tiago Espinha Gasiba,Ulrike Lechner,Maria Pinto-Albuquerque,Alae Zouitni

DOI: https://doi.org/10.48550/arXiv.2101.02108

2021-01-07

Abstract:According to a recent survey with more than 4000 software developers, less than half of developers can spot security holes. As a result, software products present a low-security quality expressed by vulnerabilities that can be exploited by cyber-criminals. This lack of quality and security is particularly dangerous if the software which contains the vulnerabilities is deployed in critical infrastructures. Serious games, and in particular, Capture-the-Flag(CTF) events, have shown promising results in improving secure coding awareness of software developers in the industry. The challenges in the CTF event, to be useful, must be adequately designed to address the target group. This paper presents novel contributions by investigating which challenge types are adequate to improve software developers' ability to write secure code in an industrial context. We propose 1) six challenge types usable in the industry context, and 2) a structure for the CTF challenges. Our investigation also presents results on 3) how to include hints and penalties into the cyber-security challenges. We evaluated our work through a survey with security experts. While our results show that "traditional" challenge types seem to be adequate, they also reveal a new class of challenges based on code entry and interaction with an automated coach.

Software Engineering

Barbara J. Grosz,David Gray Grant,Kate Vredenburgh,Jeff Behrends,Lily Hu,Alison Simmons,Jim Waldo

DOI: https://doi.org/10.48550/arXiv.1808.05686

2018-08-16

Computers and Society

Abstract:Computing technologies have become pervasive in daily life, sometimes bringing unintended but harmful consequences. For students to learn to think not only about what technology they could create, but also about what technology they should create, computer science curricula must expand to include ethical reasoning about the societal value and impact of these technologies. This paper presents Embedded EthiCS, a novel approach to integrating ethics into computer science education that incorporates ethical reasoning throughout courses in the standard computer science curriculum. It thus changes existing courses rather than requiring wholly new courses. The paper describes a pilot Embedded EthiCS program that embeds philosophers teaching ethical reasoning directly into computer science courses. It discusses lessons learned and challenges to implementing such a program across different types of academic institutions.

Mohammad Tahaei,Adam Jenkins,Kami Vaniea,Maria Wolters

DOI: https://doi.org/10.48550/arXiv.2103.09905

2021-03-13

Cryptography and Security

Abstract:The security attitudes and approaches of software developers have a large impact on the software they produce, yet we know very little about how and when these views are constructed. This paper investigates the security and privacy (S&P) perceptions, experiences, and practices of current Computer Science students at the graduate and undergraduate level using semi-structured interviews. We find that the attitudes of students already match many of those that have been observed in professional level developers. Students have a range of hacker and attack mindsets, lack of experience with security APIs, a mixed view of who is in charge of S&P in the software life cycle, and a tendency to trust other peoples' code as a convenient approach to rapidly build software. We discuss the impact of our results on both curriculum development and support for professional developers.

Tao Xie,Judith Bishop,Nikolai Tillmann,Jonathan de Halleux

DOI: https://doi.org/10.1145/2746194.2746220

2015-01-01

Abstract:Sophistication and flexibility of software development make it easy to leave security vulnerabilities in software applications for attackers. It is critical to educate and train software engineers to avoid introducing vulnerabilities in software applications in the first place such as adopting secure coding mechanisms and conducting security testing. A number of websites provide training grounds to train people's hacking skills, which are highly related to security testing skills, and train people's secure coding skills. However, there exists no interactive gaming platform for instilling gaming aspects into the education and training of secure coding. To address this issue, we propose to construct secure coding duels in Code Hunt, a high-impact serious gaming platform released by Microsoft Research. In Code Hunt, a coding duel consists of two code segments: a secret code segment and a player-visible code segment. To solve a coding duel, a player iteratively modifies the player-visible code segment to match the functional behaviors of the secret code segment. During the duel-solving process, the player is given clues as a set of automatically generated test cases to characterize sample functional behaviors of the secret code segment. The game aspect in Code Hunt is to recognize a pattern from the test cases, and to re-engineer the player-visible code segment to exhibit the expected behaviors. Secure coding duels proposed in this work are coding duels that are carefully designed to train players' secure coding skills, such as sufficient input validation and access control.

Debarati Basu,Harinni K. Kumar,Vinod K. Lohani,N. Dwight Barnette,Godmar Back,Dave McPherson,Calvin J. Ribbens,Paul E. Plassmann

DOI: https://doi.org/10.1145/3328778.3366798

2020-02-26

Abstract:Cybersecurity education has been emphasized by several national organizations in the United States, including the National Academy of Engineering, which recognizes securing cyberspace as one of the 14 Engineering Grand Challenges. To prepare students for such challenges and to enhance cybersecurity education opportunities at our large research university, we implemented an NSF-funded cybersecurity education project. This project is a collaborative effort between faculty and graduate students in the Engineering Education, Computer Science (CS) and Computer Engineering (CPE) departments at a major US research university. In this effort, we integrated cybersecurity learning modules into multiple existing core CS and CPE courses following Jerome Bruner's spiral-theory model, which has previously been used to reformulate several academic curricula. In this paper, we present our cybersecurity curriculum initiative, describe the spiral-theory based process we developed to implement the curriculum and provide an in-depth description of four reusable cybersecurity learning modules that we developed. A core tenet of spiral theory holds to revisit topics as students advance through their curriculum. This work applies this approach to Cybersecurity education by carefully designing the learning objectives of the modules and its contents. For evaluating these learning modules we implemented pre and post-tests to assess students' technical knowledge, their perceptions towards the modules' learning objectives, and how it influenced their motivation to learn cybersecurity. Our findings are overwhelmingly positive and the students' feedback has helped us improve these learning modules. Since its inception, our initiative has educated more than $2\,000$ students and is currently being used to revise the affected courses' syllabi.

Tiago Espinha Gasiba,Ulrike Lechner

DOI: https://doi.org/10.48550/arXiv.2102.10431

2021-02-21

Abstract:Many industrial IT security standards and policies mandate the usage of a secure coding methodology in the software development process. This implies two different aspects: first, secure coding must be based on a set of secure coding guidelines, and second software developers must be aware of these secure coding practices. On the one side, secure coding guidelines seems a bit like a black-art: while there exist abstract guidelines that are widely accepted, low-level secure coding guidelines for different programming languages are scarce. On the other side, once a set of secure coding guidelines is chosen, a good methodology is needed to make them known by the people which should be using them, i.e. software developers. Motivated both by the secure coding requirements from industry standards and also by the mandate to train staff on IT security by the global industry initiative "Charter of Trust", this paper presents an overview of important research questions on how to choose secure coding guidelines and on how to raise software developer awareness for secure coding using serious games.

Software Engineering

Na Meng,Stefan Nagy,Daphne Yao,Wenjie Zhuang,Gustavo Arango Argoty

DOI: https://doi.org/10.48550/arXiv.1709.09970

2017-09-28

Abstract:Java platform and third-party libraries provide various security features to facilitate secure coding. However, misusing these features can cost tremendous time and effort of developers or cause security vulnerabilities in software. Prior research was focused on the misuse of cryptography and SSL APIs, but did not explore the key fundamental research question: what are the biggest challenges and vulnerabilities in secure coding practices? In this paper, we conducted a comprehensive empirical study on StackOverflow posts to understand developers' concerns on Java secure coding, their programming obstacles, and potential vulnerabilities in their code. We observed that developers have shifted their effort to the usage of authentication and authorization features provided by Spring security--a third-party framework designed to secure enterprise applications. Multiple programming challenges are related to APIs or libraries, including the complicated cross-language data handling of cryptography APIs, and the complex Java-based or XML-based approaches to configure Spring security. More interestingly, we identified security vulnerabilities in the suggested code of accepted answers. The vulnerabilities included using insecure hash functions such as MD5, breaking SSL/TLS security through bypassing certificate validation, and insecurely disabling the default protection against Cross Site Request Forgery (CSRF) attacks. Our findings reveal the insufficiency of secure coding assistance and education, and the gap between security theory and coding practices.

Cryptography and Security

Julie Jarzemsky,Joshua Paup,Casey Fiesler

DOI: https://doi.org/10.1145/3545945.3569846

2023-01-20

Abstract:There is a growing movement in undergraduate computer science (CS) programs to embed ethics across CS classes rather than relying solely on standalone ethics courses. One strategy is creating assignments that encourage students to reflect on ethical issues inherent to the code they write. Building off prior work that has surveyed students after doing such assignments in class, we conducted focus groups with students who reviewed a new introductory ethics-based CS assignment. In this experience report, we present a case study describing our process of designing an ethics-based assignment and proposing the assignment to students for feedback. Participants in our focus groups not only shared feedback on the assignment, but also on the integration of ethics into coding assignments in general, revealing the benefits and challenges of this work from a student perspective. We also generated novel ethics-oriented assignment concepts alongside students. Deriving from tech controversies that participants felt most affected by, we created a bank of ideas as a starting point for further curriculum development.

Computer Science

Maryam Taeb

DOI: https://doi.org/10.48550/arXiv.2302.00750

2023-02-01

Cryptography and Security

Abstract:As the role of information and communication technologies gradually increases in our lives, source code security becomes a significant issue to protect against malicious attempts Furthermore with the advent of data-driven techniques, there is now a growing interest in leveraging machine learning and natural language processing as a source code assurance method to build trustworthy systems Therefore training our future software developers to write secure source code is in high demand In this thesis we propose a framework including learning modules and hands on labs to guide future IT professionals towards developing secure programming habits and mitigating source code vulnerabilities at the early stages of the software development lifecycle In this thesis our goal is to design learning modules with a set of hands on labs that will introduce students to secure programming practices using source code and log file analysis tools to predict and identify vulnerabilities In a Secure Coding Education framework we will improve students skills and awareness on source code vulnerabilities detection tools and mitigation techniques integrate concepts of source code vulnerabilities from Function API and library level to bad programming habits and practices leverage deep learning NLP and static analysis tools for log file analysis to introduce the root cause of source code vulnerabilities

Anthony Peruma,Eman Abdullah AlOmar,Wajdi Aljedaani,Christian D. Newman,Mohamed Wiem Mkaouer

2024-04-16

Abstract:Educating students about software testing practices is integral to the curricula of many computer science-related courses and typically involves students writing unit tests. Similar to production/source code, students might inadvertently deviate from established unit testing best practices, and introduce problematic code, referred to as test smells, into their test suites. Given the extensive catalog of test smells, it becomes challenging for students to identify test smells in their code, especially for those who lack experience with testing practices. In this experience report, we aim to increase students' awareness of bad unit testing practices, and detail the outcomes of having 184 students from three higher educational institutes utilize an IDE plugin to automatically detect test smells in their code. Our findings show that while students report on the plugin's usefulness in learning about and detecting test smells, they also identify specific test smells that they consider harmless. We anticipate that our findings will support academia in refining course curricula on unit testing and enabling educators to support students with code review strategies of test code.

Software Engineering

Kashyap Thimmaraju,Julian Fietkau,Fatemeh Ganji

DOI: https://doi.org/10.48550/arXiv.2003.11340

2020-03-25

Computers and Society

Abstract:In this paper we describe our experience in designing and evaluating our graduate level computer security seminar course. In particular, our seminar is designed with two goals in mind. First, to instil critical thinking by teaching graduate students how to read, review and present scientific literature. Second, to learn about the state-of-the-art in computer security and privacy research by reviewing proceedings from one of the top four security and privacy conferences including IEEE Symposium on Security and Privacy (Oakland SP), USENIX Security, Network and Distributed System Security Symposium (NDSS) and ACM Conference on Computer and Communications Security (CCS). The course entails each student to i) choose a specific technical session from the most recent conference, ii) review and present three papers from the chosen session and iii) analyze the relationship between the chosen papers from the session. To evaluate the course, we designed a set of questions to understand the motivation and decisions behind the students' choices as well as to evaluate and improve the quality of the course. Our key insights from the evaluation are the following: The three most popular topics of interest were Privacy, Web Security and Authentication, ii) 33% of the students chose the sessions based on the title of papers and iii) when providing an encouraging environment, students enjoy and engage in discussions.

Jialiang Tan,Yu Chen,Shuyin Jiao

2023-03-10

Abstract:Involving integrated development environments (IDEs) in introductory-level (CS1) programming courses is critical. However, it is difficult for instructors to find a suitable IDE that is beginner friendly and supports strong functionality. In this paper, we report the experience of using Visual Studio Code (VS Code) in a CS1 programming course. We describe our motivation for choosing VS Code and how we introduce it to students. We create comprehensive guidance with hierarchical indexing to help students with diverse programming backgrounds. We perform an experimental evaluation of students' programming experience of using VS Code and validate the VS Code together with guidance as a promising solution for CS1 programming courses.

Human-Computer Interaction,Programming Languages

Nafis Tanveer Islam,Gonzalo De La Torre Parra,Dylan Manual,Murtuza Jadliwala,Peyman Najafirad

2024-01-13

Abstract:Open Source Software (OSS) security and resilience are worldwide phenomena hampering economic and technological innovation. OSS vulnerabilities can cause unauthorized access, data breaches, network disruptions, and privacy violations, rendering any benefits worthless. While recent deep-learning techniques have shown great promise in identifying and localizing vulnerabilities in source code, it is unclear how effective these research techniques are from a usability perspective due to a lack of proper methodological analysis. Usually, these methods offload a developer's task of classifying and localizing vulnerable code; still, a reasonable study to measure the actual effectiveness of these systems to the end user has yet to be conducted. To address the challenge of proper developer training from the prior methods, we propose a system to link vulnerabilities to their root cause, thereby intuitively educating the developers to code more securely. Furthermore, we provide a comprehensive usability study to test the effectiveness of our system in fixing vulnerabilities and its capability to assist developers in writing more secure code. We demonstrate the effectiveness of our system by showing its efficacy in helping developers fix source code with vulnerabilities. Our study shows a 24% improvement in code repair capabilities compared to previous methods. We also show that, when trained by our system, on average, approximately 9% of the developers naturally tend to write more secure code with fewer vulnerabilities.

Software Engineering

Nafis Tanveer Islam,Mazal Bethany,Dylan Manuel,Murtuza Jadliwala,Peyman Najafirad

2024-08-31

Abstract:Software security remains a critical concern, particularly as junior developers, often lacking comprehensive knowledge of security practices, contribute to codebases. While there are tools to help developers proactively write secure code, their actual effectiveness in helping developers fix their vulnerable code remains largely unmeasured. Moreover, these approaches typically focus on classifying and localizing vulnerabilities without highlighting the specific code segments that are the root cause of the issues, a crucial aspect for developers seeking to fix their vulnerable code. To address these challenges, we conducted a comprehensive study evaluating the efficacy of existing methods in helping junior developers secure their code. Our findings across five types of security vulnerabilities revealed that current tools enabled developers to secure only 36.2\% of vulnerable code. Questionnaire results from these participants further indicated that not knowing the code that was the root cause of the vulnerability was one of their primary challenges in repairing the vulnerable code. Informed by these insights, we developed an automated vulnerability root cause (RC) toolkit called T5-RCGCN, that combines T5 language model embeddings with a graph convolutional network (GCN) for vulnerability classification and localization. Additionally, we integrated DeepLiftSHAP to identify the code segments that were the root cause of the vulnerability. We tested T5-RCGCN with 56 junior developers across three datasets, showing a 28.9\% improvement in code security compared to previous methods. Developers using the tool also gained a deeper understanding of vulnerability root causes, resulting in a 17.0\% improvement in their ability to secure code independently. These results demonstrate the tool's potential for both immediate security enhancement and long-term developer skill growth.

Software Engineering,Machine Learning

Rifat Sabbir Mansur

DOI: https://doi.org/10.1145/3328778.3372694

2020-02-26

Abstract:Gaining proficiency in code design, implementation, testing, and debugging in the context of large projects are essential parts of progressing beyond introductory programming. In intermediate (post CS2) programming courses, many students fail to complete one or more projects on time. The problem starts with poor time-management when developing projects with a 3-5 week lifecycle. These projects become even more difficult to manage if not developed incrementally. Many students neglect to write sufficient test cases and so miss that bugs exist. Then, they have trouble with locating a bug once it is identified. Our goal is to identify bad coding behaviors so that we can provide feedback to students long before the project is due. Therefore, we plan to analyze the time-management, incremental development, testing, and debugging behavior of students to distinguish better coding practice from worse. We have used mixed-method research techniques. First, we collected students' IDE-based clickstream data. From the clickstream data, we deduced the students' personal development process, such as to what extent they use a debugger vs print statements for debugging. We found 90% and 75% of students use print statements and debugger, respectively. We interviewed 12 students to understand their process for time-management, incremental development, testing, and debugging. We also plan to survey 300+ students to see if the interview findings represent the larger population. Our research will be extended to recognize bad coding behaviors in real-time and provide necessary feedback about best coding practices with the help of an intelligent developer assistant.