Hossain Shahriar,Arabin Islam Talukder,Mohammad Rahman,Hongmei Chi,Sheikh Ahamed,Fan Wu

DOI: https://doi.org/10.1109/COMPSAC.2019.10274

2019-01-01

Abstract:Security vulnerabilities in an application open the ways to security dangers and attacks, which can easily jeopardize the system executing that application. Therefore, it is important to develop vulnerability-free applications. The best approach would be to counteract against potential vulnerabilities during the coding with secure programming practices. Software security proactive control education for secure portable and web application advancement is of enormous interests in the Information Technology (IT) fields. In this paper, we proposed and developed innovative learning modules for software security proactive control based on several real world scenarios to broaden and promote proactive control for secure software development in computing education.

Lixin Tao,Kai Qian,Dan Lo,Reza M. Parizi,Fan Wu,Bei-Tseng Chu

DOI: https://doi.org/10.1109/secon.2018.8478813

2018-01-01

Abstract:While the mobile applications are increasing dramatically, the mobile security threat landscape is also growing explosively. The malicious malware may attack vulnerable mobile apps to get personal or enterprise confidential data anywhere and anytime. Most vulnerabilities should be addressed and fixed in the early stage of mobile software development. However, many development professionals lack the awareness of the importance of security vulnerability and the necessary secure knowledge and skills at the development stage. Also, secure software development is still a relatively weak area and is not well represented in most schools' computing curriculum. This poster addresses the needs and challenges of the lack of pedagogical materials and real world learning environment in Secure Mobile Software Development (SMSD) through effective, engaging, and investigative authentic learning approaches.

Wanqing You,Kai Qian,Dan Chia-Tien Lo,Prabir Bhattacharya,Wei Chen,Tamara Rogers,Chern,Junfeng Yao

DOI: https://doi.org/10.1109/isecon.2015.7119924

2015-01-01

Abstract:It is of vital importance to provide mobile computing and security education to students in the computing fields. As the mobile applications become increasingly popular and inexpensive ways for people to communicate, share information and take advantage of convenient functionality in people's daily lives, they also regularly attract the interests of malicious attackers. Malware and spyware that may damage smart phones or steal sensitive information are also growing in every aspect of people's lives. Another concern lies in insecure mobile application development. This kind of programming makes mobile devices more vulnerable. For example, some insecure exposures of the APIs or the abuse of some components while developing apps will make the applications suffer from potential threats. Although many academic institutions have started to or planned to offer mobile computing courses, there is a shortage of hands-on lab modules and resources that can be integrated into multiple existing computing courses. In this paper, we present our development on mobile computing and security hands-on Labs and share our experiences in teaching courses on mobile computing and security with students' learning feedback using Android mobile devices.

Kai Qian,Dan Lo,Reza Parizi,Fan Wu,Emmanuel Agu,Bei-Tseng Chu

DOI: https://doi.org/10.1109/fie.2018.8659217

2018-01-01

Abstract:As mobile computing is now becoming more and more popular, the security threats to mobile applications are also growing explosively. Mobile app flaws and security defects could open doors for hackers to break into them and access sensitive information. Most vulnerabilities should be addressed in the early stage of mobile software development. However, many software development professionals lack awareness of the importance of security vulnerability and the necessary security knowledge and skills at the development stage. The combination of the prevalence of mobile devices and the rapid growth of mobile threats has resulted in a shortage of secure software development professionals. Many schools offer mobile app development courses in computing curriculum; however, secure software development is not yet well represented in most schools' computing curriculum. This paper addresses the needs of authentic and active pedagogical learning materials for SSD and challenges of building Secure Software Development (SSD) capacity through effective, engaging, and investigative approaches. In this paper, we present an innovative authentic and active SSD learning approach through a collection of transferrable learning modules with hands-on companion labs based on the Open Web Application Security Project (OWASP) recommendations. The preliminary feedback from students is positive. Students have gained hands-on real world SSD learning experiences with Android mobile platform and also greatly promoted self-efficacy and confidence in their mobile SSD learning.

Kai Qian,Dan Chia-Tien Lo,Hossain Shahriar,Lei Li,Fan Wu,Prabir Bhattacharya

DOI: https://doi.org/10.1109/FIE.2017.8190716

2017-01-01

Abstract:As mobile computing is becoming more and more popular, the security threats to mobile applications are simultaneously increasing explosively. Most malicious activities hack the user's private information, such as contact and location information, hijack the user's transactions and communications, and exploit the confidential enterprise data stored in mobile databases or in cache on mobile devices. Database security is one of the most important security areas to be addressed. Many schools are integrating database security topics into database and cybersecurity education. This paper addresses the needs for pedagogical learning materials for database security education and the challenges of building database security capacity through effective, engaging, and investigative learning approaches, through transferrable and integratable mobile-based learning modules with hands-on companion labs based on the OWASP recommendations, such as input validation, data encryption, data sharing, auditing, and others. The primary goal of this learning approach is to create a motivating learning environment that encourages and engages all students in database security concepts and practices learning. The preliminary feedback from students was positive. Students gained hands-on real world learning experiences on Mobile Database Security (MDS) with Android mobile devices, which also greatly promoted students' self-efficacy and confidence in their mobile security learning.

WUChunming

DOI: https://doi.org/10.3969/j.issn.1009-6868.2016.01.009

2016-01-01

Abstract:Dynamic network proactive security defence is an effective method for solving the unknown vulnerabilities and back door attacks in the information system. In this paper, the evolution defense mechanism (EDM) is proposed. According to the security status, network system security needs, EDM can select the best network configuration change elements to deal with potential attacks and ensure the safety requirements of a specific level. Dynamic reconfiguration and changes of the network need to be considered in accordance with the security situation of the system and the possible network attacks. The key is how to detect and the security situation and network attacks. It proposes that study on dynamic network proactive security defense in China is in the initial stage, and there is stil much work to do.

Kai Qian,Hossain Shahriar,Fan Wu,Lixin Tao,Prabir Bhattacharya

DOI: https://doi.org/10.1145/3059009.3072983

2017-01-01

Abstract:This poster addresses the needs of pedagogical learning materials for Secure Mobile Software Development(SMSD) education and challenges of building SMSD capacity. In this poster, we present an innovative authentic learning approach for SMSD through real-world-scenario case studies. The primary goal of this learning approach is to create an engaging and motivating learning environment that encourages students in learning emerging security concepts and practices such as mobile software developments. It provides students with hands-on laboratory practices on real-world mobile app developments and security. Each module consists of a series of progressive sub-labs: a pre-lab, lab activities, and a student add-on post-lab. The preliminary feedback from students is positive. Students have gained hands-on real world experiences on mobile security with Android mobile devices, which also greatly promoted students' self-efficacy and confidences in their mobile security learning.

Mst Shapna Akter,Juanjose Rodriguez-Cardenas,Hossain Shahriar,Akond Rahman,Fan Wu

DOI: https://doi.org/10.48550/arXiv.2311.16944

2023-08-14

Cryptography and Security

Abstract:The field of DevOps security education necessitates innovative approaches to effectively address the ever-evolving challenges of cybersecurity. In adopting a student-centered ap-proach, there is the need for the design and development of a comprehensive set of hands-on learning modules. In this paper, we introduce hands-on learning modules that enable learners to be familiar with identifying known security weaknesses, based on taint tracking to accurately pinpoint vulnerable code. To cultivate an engaging and motivating learning environment, our hands-on approach includes a pre-lab, hands-on and post lab sections. They all provide introduction to specific DevOps topics and software security problems at hand, followed by practicing with real world code examples having security issues to detect them using tools. The initial evaluation results from a number of courses across multiple schools show that the hands-on modules are enhancing the interests among students on software security and cybersecurity, while preparing them to address DevOps security vulnerabilities.

Jun Zhu,Heather Richter Lipford,Bill Chu

DOI: https://doi.org/10.1145/2445196.2445396

2013-01-01

Abstract:Software flaws are a root cause of many of today's information security vulnerabilities. Current curricula emphasis on traditional information security issues does not address this root cause. We propose educating students on secure programming techniques through interactive tool support in the Integrated Development Environment (IDE). We believe this approach can complement other curricula efforts by teaching and providing continuous reinforcement of practices throughout programming tasks. In this paper, we evaluate our prototype tool, ASIDE, which provides instant security warnings, detailed explanations of vulnerabilities, and code generation. We report the results of an observational study on 20 students from an advanced Web programming course. The results provide early evidence that our tool could potentially help students learn about and practice secure programming in the context of their programming assignments.

Qiang Liu,Wentao Zhao,Minghui Wu,Chengzhang Zhu

DOI: https://doi.org/10.1145/3393527.3393528

2020-01-01

Abstract:Web security research and education are attracting much more attentions from industry and academia. In this paper, we report our teaching and learning experiences of a course entitled Web Security and Countermeasures (WebSC) in a multidisciplinary learning context. To achieve the learning outcome of practical skills improvement, we design a rounded teaching contents by jointly considering basic concepts, high-risk threats in OWASP TOP 10-2017 and emerging confrontation tools like PowerShell. Then, we coordinately adopt apprenticeship, interactive, problem-based and collaborative learning methods to improve the performance of all students. Finally, we integrate formative and summative assessment methods to conduct quantitative evaluation on students' learning performance and the instructor's teaching performance. Statistical results demonstrate the effectiveness of our course design and reveal some unforeseen findings that are very valuable for continuous improvement in near future.

Jun Zhu,Bill Chu,Heather Richter Lipford,Tyler Thomas

DOI: https://doi.org/10.1145/2752952.2752976

2015-01-01

Abstract:ABSTRACTAccess control vulnerabilities due to programming errors have consistently ranked amongst top software vulnerabilities. Previous research efforts have concentrated on using automatic program analysis techniques to detect access control vulnerabilities in applications. We report a comparative study of six open source PHP applications, and find that implicit assumptions of previous research techniques can significantly limit their effectiveness. We propose a more effective hybrid approach to mitigate access control vulnerabilities. Developers are reminded in-situ of potential access control vulnerabilities, where self-review of code can help them discover mistakes. Additionally, developers are prompted for application-specific access control knowledge, providing samples of code that could be thought of as static analysis by example. These examples are turned into code patterns that can be used in performing static analysis to detect additional access control vulnerabilities and alert the developer to take corrective actions. Our evaluation of six open source applications detected 20 zero-day access control vulnerabilities in addition to finding all access control vulnerabilities detected in previous works.

Xianyong Meng,Kai Qian,Dan Lo,Prabir Bhattacharya,Fan Wu

DOI: https://doi.org/10.1109/isncc.2018.8531071

2018-01-01

Abstract:The security threats to mobile application are growing explosively. Mobile app flaws and security defects could open doors for hackers to easily attack mobile apps. Secure software development must be addressed earlier in the development lifecycle rather than fixing the security holes after attacking. Early eliminating against possible security vulnerability will help us increase the security of our software, and militate the consequence of damages of data loss caused by potential malicious attacking. However, many software developer professionals lack the necessary security knowledge and skills at the development stage and Secure Mobile Software Development (SMSD) is not yet well represented in current computing curriculum. In this paper we present a static security analysis approach with open source FindSecurityBugs plugin for Android Studio IDE. We categorized the common mobile vulnerability for developers based on OWASP mobile security recommendations and developed detectors to meet the SMSD needs in industry and education.

Jun Zhu,Jing Xie,Heather Richter Lipford,Bill Chu

DOI: https://doi.org/10.1016/j.jare.2013.11.006

IF: 12.822

2014-01-01

Journal of Advanced Research

Abstract:Many security incidents are caused by software developers’ failure to adhere to secure programming practices. Static analysis tools have been used to detect software vulnerabilities. However, their wide usage by developers is limited by the special training required to write rules customized to application-specific logic. Our approach is interactive static analysis, to integrate static analysis into Integrated Development Environment (IDE) and provide in-situ secure programming support to help developers prevent vulnerabilities during code construction. No additional training is required nor are there any assumptions on ways programs are built. Our work is motivated in part by the observation that many vulnerabilities are introduced due to failure to practice secure programming by knowledgeable developers. We implemented a prototype interactive static analysis tool as a plug-in for Java in Eclipse. Our technical evaluation of our prototype detected multiple zero-day vulnerabilities in a large open source project. Our evaluations also suggest that false positives may be limited to a very small class of use cases.

Kai Qian,Hossain Shahriar,Fan Wu,Cassandra Thomas,Emmanuel Agu

DOI: https://doi.org/10.1145/3017680.3022438

2017-01-01

Abstract:In this poster we present an innovative authentic learning approach for Secure Mobile Software Development(SMSD) through real-world-scenario case studies. The primary goal of this learning approach is to create an engagement and motivating learning environment that encourages all students in learning emerging SMSD technologies and enhances their secure software development concepts. This approach provides students with hands-on laboratory practices on real-world SMSD and mobile security. The laboratory consists of multiple modules covering input validation, output encoding, secure inter-process communication, secure data protection, secure mobile database. Each topic consists of a series of progressive sub-labs: a pre-lab, lab activities, and a student add-on post-lab. The preliminary feedback from students is positive. Students have gained hands-on real world experiences on Android software security with Android mobile devices, which also greatly promoted students' self-efficacy and confidences in their mobile security learning.

Md Arabin Islam Talukder,Hossain Shahriar,Kai Qian,Mohammad Rahman,Sheikh Ahamed,Fan Wu,Emmanuel Agu

DOI: https://doi.org/10.1109/compsac.2019.00087

2019-01-01

Abstract:While the number of mobile applications are rapidly growing, these applications are often coming with numerous security flaws due to the lack of appropriate coding practices. Security issues must be addressed earlier in the development lifecycle rather than fixing them after the attacks because the damage might already be extensive. Early elimination of possible security vulnerabilities will help us increase the security of our software and mitigate or reduce the potential damages through data losses or service disruptions caused by malicious attacks. However, many software developers lack necessary security knowledge and skills required at the development stage, and Secure Mobile Software Development (SMSD) is not yet well represented in academia and industry. In this paper, we present a static analysis-based security analysis approach through design and implementation of a plugin for Android Development Studio, namely DroidPatrol. The proposed plugins can support developers by providing list of potential vulnerabilities early.

Zouheir Trabelsi,Mohammed Al Matrooshi,Saeed Al Bairaq,Walid Ibrahim,Mohammad M. Masud

DOI: https://doi.org/10.1007/s10639-015-9439-8

2015-09-16

Education and Information Technologies

Abstract:As mobile devices grow increasingly in popularity within the student community, novel educational activities and tools, as well as learning approaches can be developed to get benefit from this prevalence of mobile devices (e.g. mobility and closeness to students’ daily lives). Particularly, information security education should reflect the current trend in computing platforms away from the desktop and towards mobile devices. This paper discusses a case study of a learning approach that aims at taking advantages of the benefits of mobile devices and the best practices in learning information security, as well as promoting students’ interests and increasing their self-efficacy. The learning approach uses two Android learning apps to enhance students’ hands-on skills on firewall filtering rules implementation, by practicing network traffic filtering outside the traditional laboratory activities, in the real-world environment; i.e., anywhere and anytime, at the students’ convenience. Practically, the two Android apps are a firewall app and a packet generator app; both apps are freely available at Google Play Store. Based on statistics from the Google Play Store, in about one and a half years, the packet generator app turned popular with over 20,000 downloads worldwide and a 3.75 users’ rating. A comparative analysis of various existing Android firewall apps with the proposed firewall app emphasizes its significance. The impact of the Android apps on the students’ performance in terms of achieving the course outcomes is also discussed.

education & educational research

Abdul Hadi bin Abdul Rahman,Abdullah Nazir,Kim Tae Hyun,Tan Horng Yarng,Fatima-tuz-Zahra

DOI: https://doi.org/10.48550/arXiv.2012.10881

2020-12-20

Software Engineering

Abstract:Secure development process is a procedure taken by developers to ensure the programs developed are following the general security standards and will always be up to date so that the outcomes are well secured and obedient. As a software developer, it is very crucial to implement and develop a highly secured and reliable program for clients and users. In this current digital world where everything is advancing faster than we can ever think of, most of the old security policies can no longer be implemented alone. The consequences and impacts that could be brought upon a company are really huge if the software applications are not secured according to the modern trend. Therefore, in this paper research is done to asses the security integration in software development process. The concept and the purpose of this research is to provide insight about the current issues and challenges faced by most of the software developers in terms of secure software development. With a better and clearer explanation of these issues, challenges, and methodologies adopted to overcome them are discussed which can potentially provide a better and higher level of security along with better software programmers and client relationship. To comply with future demands and threats, security concerns need to be involved in all phases while developing a software system. Therefore, an effort is made to investigate and contribute to this domain through this paper.

Michael Whitney,Heather Richter Lipford,Bill Chu,Jun Zhu

DOI: https://doi.org/10.1145/2676723.2677280

2015-01-01

Abstract:Many of the security vulnerabilities common in today's software can be prevented with standard secure coding practices. Computer science students who will become the developers of that software need to learn about those practices so they can prevent such vulnerabilities. Many computing programs are addressing this need through additional lectures, elective courses, or more holistic approaches to integrate security across curriculums. We are exploring a complementary approach, integrating secure coding education into the IDE to provide a learning opportunity in the context of writing code. In this paper, we report on two field studies using an IDE tool in an advanced Web programming course. Our results indicate that the tool can increase students' awareness and knowledge of secure programming, but to be most effective, instructors may need to incentivize its use through in-class methods and careful timing of its introduction.

Luo Qihan,Chen Shenlong,Xing Luyi,Li Ning,Zhang Yuanchao,Liu Peng,Wang Jian,Wen Guanxing,Zhang Yuqing,Liu Zhenqing,Liu Yuzhu

2011-01-01

Abstract:Education platform at Chinese Academy of Sciences is aiming at providing information support for cultivating high-level scientific specialists. Its web applications are large-scale, high-coupling and strong-interactive. As a result, it confronts many potential security risks. In this paper, we developed a target-oriented security enhancement methodology, which is implemented effectively in the web applications. With it, we have discovered and fixed 128 web security vulnerabilities. After the secure programming training, the sum of the two principal vulnerabilities, i.e. SQL injection and XSS, has dropped by 55.10%. Thus the web applications are secured remarkably.

Md. Mostafizur Rahman,Abdul Barek,Mst. Shapna Akter,ABM Kamrul Islam Riad,Md. Abdur Rahman,Hossain Shahriar,Akond Rahman,Fan Wu

DOI: https://doi.org/10.1109/compsac61105.2024.00388

2024-01-01

Abstract:This paper presents an innovative approach to DevOps security education, addressing the dynamic landscape of cybersecurity threats. We propose a student-centered learning methodology by developing comprehensive hands-on learning modules. Specifically, we introduce labware modules designed to automate static security analysis, empowering learners to identify known vulnerabilities efficiently. These modules offer a structured learning experience with pre-lab, hands-on, and post-lab sections, guiding students through DevOps concepts and security challenges. In this paper, we introduce hands-on learning modules that familiarize students with recognizing known security flaws through the application of Git Hooks. Through prac-tical exercises with real-world code examples containing security flaws, students gain proficiency in detecting vulnerabilities using relevant tools. Initial evaluations conducted across educational institutions indicate that these hands-on modules foster student interest in software security and cybersecurity and equip them with practical skills to address DevOps security vulnerabilities.