Mst Shapna Akter,Juanjose Rodriguez-Cardenas,Hossain Shahriar,Akond Rahman,Fan Wu

DOI: https://doi.org/10.48550/arXiv.2311.16944

2023-08-14

Cryptography and Security

Abstract:The field of DevOps security education necessitates innovative approaches to effectively address the ever-evolving challenges of cybersecurity. In adopting a student-centered ap-proach, there is the need for the design and development of a comprehensive set of hands-on learning modules. In this paper, we introduce hands-on learning modules that enable learners to be familiar with identifying known security weaknesses, based on taint tracking to accurately pinpoint vulnerable code. To cultivate an engaging and motivating learning environment, our hands-on approach includes a pre-lab, hands-on and post lab sections. They all provide introduction to specific DevOps topics and software security problems at hand, followed by practicing with real world code examples having security issues to detect them using tools. The initial evaluation results from a number of courses across multiple schools show that the hands-on modules are enhancing the interests among students on software security and cybersecurity, while preparing them to address DevOps security vulnerabilities.

Maryam Taeb

DOI: https://doi.org/10.48550/arXiv.2302.00750

2023-02-01

Cryptography and Security

Abstract:As the role of information and communication technologies gradually increases in our lives, source code security becomes a significant issue to protect against malicious attempts Furthermore with the advent of data-driven techniques, there is now a growing interest in leveraging machine learning and natural language processing as a source code assurance method to build trustworthy systems Therefore training our future software developers to write secure source code is in high demand In this thesis we propose a framework including learning modules and hands on labs to guide future IT professionals towards developing secure programming habits and mitigating source code vulnerabilities at the early stages of the software development lifecycle In this thesis our goal is to design learning modules with a set of hands on labs that will introduce students to secure programming practices using source code and log file analysis tools to predict and identify vulnerabilities In a Secure Coding Education framework we will improve students skills and awareness on source code vulnerabilities detection tools and mitigation techniques integrate concepts of source code vulnerabilities from Function API and library level to bad programming habits and practices leverage deep learning NLP and static analysis tools for log file analysis to introduce the root cause of source code vulnerabilities

Faheem Ullah,Adam Johannes Raft,Mojtaba Shahin,Mansooreh Zahedi,Muhammad Ali Babar

DOI: https://doi.org/10.48550/arXiv.1703.04277

2017-03-13

Abstract:Continuous Deployment (CD) has emerged as a new practice in the software industry to continuously and automatically deploy software changes into production. Continuous Deployment Pipeline (CDP) supports CD practice by transferring the changes from the repository to production. Since most of the CDP components run in an environment that has several interfaces to the Internet, these components are vulnerable to various kinds of malicious attacks. This paper reports our work aimed at designing secure CDP by utilizing security tactics. We have demonstrated the effectiveness of five security tactics in designing a secure pipeline by conducting an experiment on two CDPs - one incorporates security tactics while the other does not. Both CDPs have been analyzed qualitatively and quantitatively. We used assurance cases with goal-structured notations for qualitative analysis. For quantitative analysis, we used penetration tools. Our findings indicate that the applied tactics improve the security of the major components (i.e., repository, continuous integration server, main server) of a CDP by controlling access to the components and establishing secure connections.

Software Engineering,Cryptography and Security

Michael Whitney,Heather Richter Lipford,Bill Chu,Jun Zhu

DOI: https://doi.org/10.1145/2676723.2677280

2015-01-01

Abstract:Many of the security vulnerabilities common in today's software can be prevented with standard secure coding practices. Computer science students who will become the developers of that software need to learn about those practices so they can prevent such vulnerabilities. Many computing programs are addressing this need through additional lectures, elective courses, or more holistic approaches to integrate security across curriculums. We are exploring a complementary approach, integrating secure coding education into the IDE to provide a learning opportunity in the context of writing code. In this paper, we report on two field studies using an IDE tool in an advanced Web programming course. Our results indicate that the tool can increase students' awareness and knowledge of secure programming, but to be most effective, instructors may need to incentivize its use through in-class methods and careful timing of its introduction.

Valdemar Švábenský,Jan Vykopal,Daniel Tovarňák,Pavel Čeleda

DOI: https://doi.org/10.1109/FIE49875.2021.9637052

2021-12-21

Abstract:When learning cybersecurity, operating systems, or networking, students perform practical tasks using a broad range of command-line tools. Collecting and analyzing data about the command usage can reveal valuable insights into how students progress and where they make mistakes. However, few learning environments support recording and inspecting command-line inputs, and setting up an efficient infrastructure for this purpose is challenging. To aid engineering and computing educators, we share the design and implementation of an open-source toolset for logging commands that students execute on Linux machines. Compared to basic solutions, such as shell history files, the toolset's added value is threefold. 1) Its configuration is automated so that it can be easily used in classes on different topics. 2) It collects metadata about the command execution, such as a timestamp, hostname, and IP address. 3) Data are instantly forwarded to central storage in a unified, semi-structured format. This enables automated processing, both in real-time and post hoc, to enhance the instructors' understanding of student actions. The toolset works independently of the teaching content, the training network's topology, or the number of students working in parallel. We demonstrated the toolset's value in two learning environments at four training sessions. Over two semesters, 50 students played educational cybersecurity games using a Linux command-line interface. Each training session lasted approximately two hours, during which we recorded 4439 shell commands. The semi-automated data analysis revealed solution patterns, used tools, and misconceptions of students. Our insights from creating the toolset and applying it in teaching practice are relevant for instructors, researchers, and developers of learning environments. We provide the software and data resulting from this work so that others can use them.

Cryptography and Security,Computers and Society,Operating Systems

Dhruva Goyal,Sitaraman Subramanian,Aditya Peela

2024-09-15

Abstract:Security researchers are continually challenged by the need to stay current with rapidly evolving cybersecurity research, tools, and techniques. This constant cycle of learning, unlearning, and relearning, combined with the repetitive tasks of sifting through documentation and analyzing data, often hinders productivity and innovation. This has led to a disparity where only organizations with substantial resources can access top-tier security experts, while others rely on firms with less skilled researchers who focus primarily on compliance rather than actual security. We introduce "LLM Augmented Pentesting," demonstrated through a tool named "Pentest Copilot," to address this gap. This approach integrates Large Language Models into penetration testing workflows. Our research includes a "chain of thought" mechanism to streamline token usage and boost performance, as well as unique Retrieval Augmented Generation implementation to minimize hallucinations and keep models aligned with the latest techniques. Additionally, we propose a novel file analysis approach, enabling LLMs to understand files. Furthermore, we highlight a unique infrastructure system that supports if implemented, can support in-browser assisted penetration testing, offering a robust platform for cybersecurity professionals, These advancements mark a significant step toward bridging the gap between automated tools and human expertise, offering a powerful solution to the challenges faced by modern cybersecurity teams.

Cryptography and Security,Artificial Intelligence

Akond Rahman,Md. Rayhanur Rahman,Chris Parnin,Laurie Williams

DOI: https://doi.org/10.48550/arXiv.1907.07159

2020-06-21

Abstract:Context: Security smells are recurring coding patterns that are indicative of security weakness, and require further inspection. As infrastructure as code (IaC) scripts, such as Ansible and Chef scripts, are used to provision cloud-based servers and systems at scale, security smells in IaC scripts could be used to enable malicious users to exploit vulnerabilities in the provisioned systems. Goal: The goal of this paper is to help practitioners avoid insecure coding practices while developing infrastructure as code scripts through an empirical study of security smells in Ansible and Chef scripts. Methodology: We conduct a replication study where we apply qualitative analysis with 1,956 IaC scripts to identify security smells for IaC scripts written in two languages: Ansible and Chef. We construct a static analysis tool called Security Linter for Ansible and Chef scripts (SLAC) to automatically identify security smells in 50,323 scripts collected from 813 open source software repositories. We also submit bug reports for 1,000 randomly-selected smell occurrences. Results: We identify two security smells not reported in prior work: missing default in case statement and no integrity check. By applying SLAC we identify 46,600 occurrences of security smells that include 7,849 hard-coded passwords. We observe agreement for 65 of the responded 94 bug reports, which suggests the relevance of security smells for Ansible and Chef scripts amongst practitioners. Conclusion: We observe security smells to be prevalent in Ansible and Chef scripts, similar to that of the Puppet scripts. We recommend practitioners to rigorously inspect the presence of the identified security smells in Ansible and Chef scripts using (i) code review, and (ii) static analysis tools.

Cryptography and Security,Software Engineering

Roshan Namal Rajapakse,Mansooreh Zahedi,Muhammad Ali Babar

DOI: https://doi.org/10.48550/arXiv.2107.02096

2021-07-19

Abstract:Background: Security tools play a vital role in enabling developers to build secure software. However, it can be quite challenging to introduce and fully leverage security tools without affecting the speed or frequency of deployments in the DevOps paradigm. Aims: We aim to empirically investigate the key challenges practitioners face when integrating security tools into a DevOps workflow in order to provide recommendations to overcome them. Method: We conducted a study involving 31 systematically selected webinars on integrating security tools in DevOps. We used a qualitative data analysis method, i.e., thematic analysis, to identify the challenges and emerging solutions related to integrating security tools in rapid deployment environments. Results: We find that while traditional security tools are unable to cater for the needs of DevOps, the industry is moving towards new generations of tools that have started focusing on these requirements. We have developed a DevOps workflow that integrates security tools and a set of guidelines by synthesizing practitioners' recommendations in the analyzed webinars. Conclusion: While the latest security tools are addressing some of the requirements of DevOps, there are many tool-related drawbacks yet to be adequately addressed.

Cryptography and Security,Software Engineering

Lwin Khin Shar,Christopher M. Poskitt,Kyong Jin Shim,Li Ying Leonard Wong

DOI: https://doi.org/10.48550/arXiv.2204.12416

2022-04-26

Cryptography and Security

Abstract:Cybersecurity education is considered an important part of undergraduate computing curricula, but many institutions teach it only in dedicated courses or tracks. This optionality risks students graduating with limited exposure to secure coding practices that are expected in industry. An alternative approach is to integrate cybersecurity concepts across non-security courses, so as to expose students to the interplay between security and other sub-areas of computing. In this paper, we report on our experience of applying the security integration approach to an undergraduate web programming course. In particular, we added a practical introduction to secure coding, which highlighted the OWASP Top 10 vulnerabilities by example, and demonstrated how to identify them using out-of-the-box security scanner tools (e.g. ZAP). Furthermore, we incentivised students to utilise these tools in their own course projects by offering bonus marks. To assess the impact of this intervention, we scanned students' project code over the last three years, finding a reduction in the number of vulnerabilities. Finally, in focus groups and a survey, students shared that our intervention helped to raise awareness, but they also highlighted the importance of grading incentives and the need to teach security content earlier.

Nafis Tanveer Islam,Mazal Bethany,Dylan Manuel,Murtuza Jadliwala,Peyman Najafirad

2024-08-31

Abstract:Software security remains a critical concern, particularly as junior developers, often lacking comprehensive knowledge of security practices, contribute to codebases. While there are tools to help developers proactively write secure code, their actual effectiveness in helping developers fix their vulnerable code remains largely unmeasured. Moreover, these approaches typically focus on classifying and localizing vulnerabilities without highlighting the specific code segments that are the root cause of the issues, a crucial aspect for developers seeking to fix their vulnerable code. To address these challenges, we conducted a comprehensive study evaluating the efficacy of existing methods in helping junior developers secure their code. Our findings across five types of security vulnerabilities revealed that current tools enabled developers to secure only 36.2\% of vulnerable code. Questionnaire results from these participants further indicated that not knowing the code that was the root cause of the vulnerability was one of their primary challenges in repairing the vulnerable code. Informed by these insights, we developed an automated vulnerability root cause (RC) toolkit called T5-RCGCN, that combines T5 language model embeddings with a graph convolutional network (GCN) for vulnerability classification and localization. Additionally, we integrated DeepLiftSHAP to identify the code segments that were the root cause of the vulnerability. We tested T5-RCGCN with 56 junior developers across three datasets, showing a 28.9\% improvement in code security compared to previous methods. Developers using the tool also gained a deeper understanding of vulnerability root causes, resulting in a 17.0\% improvement in their ability to secure code independently. These results demonstrate the tool's potential for both immediate security enhancement and long-term developer skill growth.

Software Engineering,Machine Learning

Jun Zhu,Heather Richter Lipford,Bill Chu

DOI: https://doi.org/10.1145/2445196.2445396

2013-01-01

Abstract:Software flaws are a root cause of many of today's information security vulnerabilities. Current curricula emphasis on traditional information security issues does not address this root cause. We propose educating students on secure programming techniques through interactive tool support in the Integrated Development Environment (IDE). We believe this approach can complement other curricula efforts by teaching and providing continuous reinforcement of practices throughout programming tasks. In this paper, we evaluate our prototype tool, ASIDE, which provides instant security warnings, detailed explanations of vulnerabilities, and code generation. We report the results of an observational study on 20 students from an advanced Web programming course. The results provide early evidence that our tool could potentially help students learn about and practice secure programming in the context of their programming assignments.

Hongmei Chi,Jinwei Liu,Weifeng Xu,Mingming Peng,Jon DeGoicoechea

DOI: https://doi.org/10.53735/cisse.v9i1.140

2022-03-08

Journal of The Colloquium for Information Systems Security Education

Abstract:The integration of cyber-physical systems (CPS) has been extremely advantageous to society, it merges the attention of cybersecurity for vehicles as a timely concern as a matter of public and individual. The failure of any vehicle system could have a serious impact on vehicle control and cause undesired consequences. With the growing demand for security in CPS, there are few hands-on labs/modules available for training current students, future engineers, or IT professionals to understand cybersecurity in CPS. This study describes the execution of a free security testbed to replicate a vehicle’s network system and the implementation of this testbed via hands-on lab designed to introduce concepts of vehicle control systems. The hands-on lab simulates insider threat scenarios where students had to use can-utils toolkits and SavvyCAN to send, modify, and capture the network packet and exploit the system vulnerability threats such as replay attacks and fuzzing attacks on the vehicle system. We conducted a case study with 21 university-level students, and all students completed the hands-on lab, pretest, posttest, and a satisfaction survey as part of a non-graded class assignment. The experimental results show that most students were not familiar with cyber-physical systems and vehicle control systems and never had the chance to do any hands-on lab in this field before. Furthermore, students reported that the hands-on lab helped them learn about CAN-bus and rated high scores for enjoyment. We discussed the design of an affordable tool to teach about vehicle control systems and proposed directions for future work.

Jan Vykopal,Valdemar Švábenský,Pavel Seda,Pavel Čeleda

DOI: https://doi.org/10.48550/arXiv.2201.01154

2022-01-04

Computers and Society

Abstract:Networking, operating systems, and cybersecurity skills are exercised best in an authentic environment. Students work with real systems and tools in a lab environment and complete assigned tasks. Since all students typically receive the same assignment, they can consult their approach and progress with an instructor, a tutoring system, or their peers. They may also search for information on the Internet. Having the same assignment for all students in class is standard practice efficient for learning and developing skills. However, it is prone to cheating when used in a summative assessment such as graded homework, a mid-term test, or a final exam. Students can easily share and submit correct answers without completing the assignment. In this paper, we discuss methods for automatic problem generation for hands-on tasks completed in a computer lab environment. Using this approach, each student receives personalized tasks. We developed software for generating and submitting these personalized tasks and conducted a case study. The software was used for creating and grading a homework assignment in an introductory security course enrolled by 207 students. The software revealed seven cases of suspicious submissions, which may constitute cheating. In addition, students and instructors welcomed the personalized assignments. Instructors commented that this approach scales well for large classes. Students rarely encountered issues while running their personalized lab environment. Finally, we have released the open-source software to enable other educators to use it in their courses and learning environments.

Kamil Malinka,Anton Firc,Pavel Loutocký,Jakub Vostoupal,Andrej Krištofík,František Kasl

DOI: https://doi.org/10.1145/3649217.3653633

2024-04-18

Abstract:To keep up with the growing number of cyber-attacks and associated threats, there is an ever-increasing demand for cybersecurity professionals and new methods and technologies. Training new cybersecurity professionals is a challenging task due to the broad scope of the area. One particular field where there is a shortage of experts is Ethical Hacking. Due to its complexity, it often faces educational constraints. Recognizing these challenges, we propose a solution: integrating a real-world bug bounty programme into cybersecurity curriculum. This innovative approach aims to fill the gap in practical cybersecurity education and also brings additional positive benefits. To evaluate our idea, we include the proposed solution to a secure coding course for IT-oriented faculty. We let students choose to participate in a bug bounty programme as an option for the semester assignment in a secure coding course. We then collected responses from the students to evaluate the outcomes (improved skills, reported vulnerabilities, a better relationship with security, etc.). Evaluation of the assignment showed that students enjoyed solving such real-world problems, could find real vulnerabilities, and that it helped raise their skills and cybersecurity awareness. Participation in real bug bounty programmes also positively affects the security level of the tested products. We also discuss the potential risks of this approach and how to mitigate them.

Cryptography and Security

Mac Malone,Yicheng Wang,Fabian Monrose

DOI: https://doi.org/10.1145/3450329.3476859

2021-10-06

Abstract:We present an online gamified learning platform for computer science and cybersecurity education. Exercises within the platform revolve around a custom game wherein students can demonstrate learned skills regarding password security, web security, traffic analysis, reverse engineering, cryptanalysis, and much more. We describe some key features that together make our platform novel, including its distributed infrastructure, game engine, integrated development environment, automated feedback system, and support for individualization. We demonstrate how these features assist in the learning process --- both in theory and in practice --- and report on the use of the platform in a cybersecurity course.

Jan Vykopal,Pavel Seda,Valdemar vbensk,Pavel eleda,Valdemar Svabensky,Pavel Celeda

DOI: https://doi.org/10.1109/tlt.2022.3216345

2022-01-01

IEEE Transactions on Learning Technologies

Abstract:Hands-on computing education requires a realistic learning environment that enables students to gain and deepen their skills. Available learning environments, including virtual and physical laboratories, provide students with real-world computer systems but rarely adapt the learning environment to individual students of various proficiency and background. We design a unique and novel smart environment for the adaptive training of cybersecurity skills. The environment collects a variety of student data to assign a suitable learning path through the training. To enable such adaptiveness, we propose, develop, and deploy a new tutor model and a training format. We evaluate the learning environment using two different adaptive trainings attended by 114 students of various proficiency. The results show that students were assigned tasks with a more appropriate difficulty, which enabled them to successfully complete the training. Students reported that they enjoyed the training, felt the training difficulty was appropriately designed, and would attend more training sessions like these. Instructors can use the environment for teaching any topic involving real-world computer networks and systems because it is not tailored to particular training. We freely release the software along with exemplary training so that other instructors can adopt the innovations in their teaching practice.

education & educational research,computer science, interdisciplinary applications

Monther Aldwairi

DOI: https://doi.org/10.48550/arXiv.2208.12612

2022-08-17

Computers and Society

Abstract:Distance education had existed for a long time, then it has undergone a renaissance with the advent of computers and the Internet. Distance education relied on physically delivered material and assessments to students, who work offline at home. More recently, online learning or e-learning introduced virtual classrooms, assessments, online tests and transformed the classroom an into interactive online classroom. Despite the large number of online degrees offered, face-to-face remained the dominant mode and e-learning was just used to complement the classroom. The Covid-19 pandemic continues to impact higher education, and online learning is a forgone conclusion. However, the digital divide hindered the disadvantaged schools and students efforts to transition to online learning. As the pandemic continues to change the education landscape, many challenges arise and prevent student from realising the full potential of e-learning. One of those is the access to physical labs in science, engineering, and computer science programs. This study evaluates practical solutions for virtual labs to be used in teaching information security and ethical hacking. The course ran over five semesters, and 164 students were surveyed. The survey measured perceptions, enjoyment, experiences and attitudes towards virtual labs, and the results were supporting adoption and acceptance of virtual labs.

Brandon Earwood,Jeong Yang,Young Rae Kim

DOI: https://doi.org/10.1109/tale52509.2021.9678713

2021-12-05

Abstract:As security is a crucial aspect in the process of developing software systems, software engineers must have a strong understanding of security concepts for an application being developed and tested. There has been a growing demand for these skills to be taught on all knowledge levels in computing courses. This paper builds on a study related to a series of security modules designed to meet that demand for teaching security concepts to students in computer science courses. Six small lessons in three security modules are implemented into a CS2 course, and the outcomes of this implementation are assessed. Each concept in the modules is broken up into a general description of the security problem, sample code written in Java, and sample code of the solution. Along with the security modules, an open-ended, problem-solving Model-Eliciting Activity (MEA) was developed as a project for students to demonstrate an understanding of the security concepts. Experimental studies were conducted to investigate the teaching effectiveness of implementing cyber security modules with the MEA project and students' experiences in conceptual modeling tasks in problem solving. After implementing the security modules with the MEA, students showed a good understanding of cyber security concepts, and the instructor's beliefs about teaching shifted from teacher-centered to student-centered. 41.7% of the developed solutions from the MEA groups showed a sufficient degree of creativity, and 58.3% of the solutions seemed suitable for real-world implementation. The initial activities leading to student developed solutions effectively prepared students within the scope of the course, but additional discussion and resources may be necessary to expand on creativity and practicality.

Tim Sonnekalb,Christopher-Tobias Knaust,Bernd Gruner,Clemens-Alexander Brust,Lynn von Kurnatowski,Andreas Schreiber,Thomas S. Heinze,Patrick Mäder

2023-04-04

Abstract:Static analysis tools come in many forms andconfigurations, allowing them to handle various tasks in a (secure) development process: code style linting, bug/vulnerability detection, verification, etc., and adapt to the specific requirements of a software project, thus reducing the number of false positives.The wide range of configuration options poses a hurdle in their use for software developers, as the tools cannot be deployed out-of-the-box. However, static analysis tools only develop their full benefit if they are integrated into the software development workflow and used on regular. Vulnerability management should be integrated via version history to identify hotspots, for example. We present an analysis platform that integrates several static analysis tools that enable Git-based repositories to continuously monitor warnings across their version history. The framework is easily extensible with other tools and programming languages. We provide a visualization component in the form of a dashboard to display security trends and hotspots. Our tool can also be used to create a database of security alerts at a scale well-suited for machine learning applications such as bug or vulnerability detection.

Software Engineering

Neville Palmer

DOI: https://doi.org/10.1109/iccece46942.2019.8941804

2019-08-01

Abstract:Security is an essential aspect of the subject of computer networking in which students must understand the concepts and be confident in configuring security mechanisms on a range of network devices and systems as part of a Defence in Depth approach to IT security. Challenges are faced in assessing practical security exercises in a laboratory environment involving multivariate devices and operating systems that involve real equipment or simulation and real or virtualized environments. The working environment for a practical exercise must be pre-configured and once an exercise is completed the results extracted to enable formative or summative assessment of the outcomes of the exercise. Using manual methods this process can be time consuming and it would therefore be beneficial to implement some form of automation. To facilitate this a new application has been developed that automates the configuration management and assessment processes within a computer networking laboratory. The new application has been successfully used to assess the extent to which students have been able to configure a secure network utilizing a Defence in Depth approach within a case-study based exercise. The development challenges of the application and rationale for the implementation of the prototype application are discussed. A test methodology is presented and the results of applying this to the outcomes of a network security exercise are analysed. This demonstrates that the prototype application is able to assess the configuration of network security, in the context of defined parameters, to a high degree of accuracy. Further work might look at using the system to assess the security of business and industrial network in contrast to educational usage.