Tiago Espinha Gasiba,Ulrike Lechner,Maria Pinto-Albuquerque

DOI: https://doi.org/10.1186/s42400-020-00064-4

2020-12-01

Abstract:Abstract Software vulnerabilities, when actively exploited by malicious parties, can lead to catastrophic consequences. Proper handling of software vulnerabilities is essential in the industrial context, particularly when the software is deployed in critical infrastructures. Therefore, several industrial standards mandate secure coding guidelines and industrial software developers’ training, as software quality is a significant contributor to secure software. CyberSecurity Challenges (CSC) form a method that combines serious game techniques with cybersecurity and secure coding guidelines to raise secure coding awareness of software developers in the industry. These cybersecurity awareness events have been used with success in industrial environments. However, until now, these coached events took place on-site. In the present work, we briefly introduce cybersecurity challenges and propose a novel platform that allows these events to take place online. The introduced cybersecurity awareness platform, which the authors call Sifu, performs automatic assessment of challenges in compliance to secure coding guidelines, and uses an artificial intelligence method to provide players with solution-guiding hints. Furthermore, due to its characteristics, the Sifu platform allows for remote (online) learning, in times of social distancing. The CyberSecurity Challenges events based on the Sifu platform were evaluated during four online real-life CSC events. We report on three surveys showing that the Sifu platform’s CSC events are adequate to raise industry software developers awareness on secure coding.

computer science, information systems, interdisciplinary applications, software engineering

Tiago Espinha Gasiba,Ulrike Lechner,Maria Pinto-Albuquerque

DOI: https://doi.org/10.48550/arXiv.2102.05345

2021-02-10

Abstract:Awareness of cybersecurity topics facilitates software developers to produce secure code. This awareness is especially important in industrial environments for the products and services in critical infrastructures. In this work, we address how to raise awareness of software developers on the topic of secure coding. We propose the "CyberSecurity Challenges", a serious game designed to be used in an industrial environment and address software developers' needs. Our work distils the experience gained in conducting these CyberSecurity Challenges in an industrial setting. The main contributions are the design of the CyberSecurity Challenges events, the analysis of the perceived benefits, and practical advice for practitioners who wish to design or refine these games.

Software Engineering

Tiago Espinha Gasiba,Ulrike Lechner,Maria Pinto-Albuquerque,Anmoal Porwal

DOI: https://doi.org/10.48550/arXiv.2102.10430

2021-02-20

Software Engineering

Abstract:Over the last years, the number of cyber-attacks on industrial control systems has been steadily increasing. Among several factors, proper software development plays a vital role in keeping these systems secure. To achieve secure software, developers need to be aware of secure coding guidelines and secure coding best practices. This work presents a platform geared towards software developers in the industry that aims to increase awareness of secure software development. The authors also introduce an interactive game component, a virtual coach, which implements a simple artificial intelligence engine based on the laddering technique for interviews. Through a survey, a preliminary evaluation of the implemented artifact with real-world players (from academia and industry) shows a positive acceptance of the developed platform. Furthermore, the players agree that the platform is adequate for training their secure coding skills. The impact of our work is to introduce a new automatic challenge evaluation method together with a virtual coach to improve existing cybersecurity awareness training programs. These training workshops can be easily held remotely or off-line.

Alexandre Verdet,Mohammad Hamdaqa,Leuson Da Silva,Foutse Khomh

2023-08-08

Abstract:Cloud computing has become popular thanks to the widespread use of Infrastructure as Code (IaC) tools, allowing the community to conveniently manage and configure cloud infrastructure using scripts. However, the scripting process itself does not automatically prevent practitioners from introducing misconfigurations, vulnerabilities, or privacy risks. As a result, ensuring security relies on practitioners understanding and the adoption of explicit policies, guidelines, or best practices. In order to understand how practitioners deal with this problem, in this work, we perform an empirical study analyzing the adoption of IaC scripted security best practices. First, we select and categorize widely recognized Terraform security practices promulgated in the industry for popular cloud providers such as AWS, Azure, and Google Cloud. Next, we assess the adoption of these practices by each cloud provider, analyzing a sample of 812 open-source projects hosted on GitHub. For that, we scan each project configuration files, looking for policy implementation through static analysis (checkov). Additionally, we investigate GitHub measures that might be correlated with adopting these best practices. The category Access policy emerges as the most widely adopted in all providers, while Encryption in rest are the most neglected policies. Regarding GitHub measures correlated with best practice adoption, we observe a positive, strong correlation between a repository number of stars and adopting practices in its cloud infrastructure. Based on our findings, we provide guidelines for cloud practitioners to limit infrastructure vulnerability and discuss further aspects associated with policies that have yet to be extensively embraced within the industry.

Cryptography and Security,Software Engineering

Tiago Espinha Gasiba,Ulrike Lechner,Maria Pinto-Albuquerque

DOI: https://doi.org/10.48550/arXiv.2102.10432

2021-02-21

Abstract:Awareness of cybersecurity topics, e.g., related to secure coding guidelines, enables software developers to write secure code. This awareness is vital in industrial environments for the products and services in critical infrastructures. In this work, we introduce and discuss a new serious game designed for software developers in the industry. This game addresses software developers' needs and is shown to be well suited for raising secure coding awareness of software developers in the industry. Our work results from the experience of the authors gained in conducting more than ten CyberSecurity Challenges in the industry. The presented game design, which is shown to be well accepted by software developers, is a novel alternative to traditional classroom training. We hope to make a positive impact in the industry by improving the cybersecurity of products at their early production stages.

Software Engineering

Tiago Espinha Gasiba,Ulrike Lechner,Maria Pinto-Albuquerque,Alae Zouitni

DOI: https://doi.org/10.48550/arXiv.2101.02108

2021-01-07

Abstract:According to a recent survey with more than 4000 software developers, less than half of developers can spot security holes. As a result, software products present a low-security quality expressed by vulnerabilities that can be exploited by cyber-criminals. This lack of quality and security is particularly dangerous if the software which contains the vulnerabilities is deployed in critical infrastructures. Serious games, and in particular, Capture-the-Flag(CTF) events, have shown promising results in improving secure coding awareness of software developers in the industry. The challenges in the CTF event, to be useful, must be adequately designed to address the target group. This paper presents novel contributions by investigating which challenge types are adequate to improve software developers' ability to write secure code in an industrial context. We propose 1) six challenge types usable in the industry context, and 2) a structure for the CTF challenges. Our investigation also presents results on 3) how to include hints and penalties into the cyber-security challenges. We evaluated our work through a survey with security experts. While our results show that "traditional" challenge types seem to be adequate, they also reveal a new class of challenges based on code entry and interaction with an automated coach.

Software Engineering

Tiange Zhao,Tiago Gasiba,Ulrike Lechner,Maria Pinto-Albuquerque

DOI: https://doi.org/10.1016/j.jss.2023.111946

IF: 3.5

2024-01-04

Journal of Systems and Software

Abstract:The important missions of modern software engineering education are to prepare software engineers to work in a hybrid mode and to address the need to enable them to write secure code and deliver secure products and services to the customer. Providing training akin to an authentic experience poses several challenges, such as hybrid infrastructures, lack of engagement, and interactions. Cybersecurity and cybersecurity awareness have also gained importance due to the shift towards work-from-home (WFH) or work-from-anywhere (WFA): The work environment is forced to be distributed across large heterogeneous networks with different security levels. We perceive hybrid work as a work mode where the team members follow WFH or WFA and work from the office. Therefore various security levels at the workplace and restrictions on informal team communications need to be taken into account. We report on experiences from an industrial company producing software and cyber–physical systems. Initially set to update the existing secure code guidelines, the study lead to the discovery that it is crucial to go beyond an up-to-date set of security guidelines: it is mandatory to raise the cybersecurity awareness of those who are to follow the guidelines. We present a novel approach, via serious games, to train software engineers working in the industry, which is delivered in a hybrid mode and equips practitioners to face the challenges of hybrid work. Serious games have more than just entertainment purposes. They have proven effective ways to maintain engagement and boost training, particularly in cybersecurity. We developed and used two innovative serious games to raise cybersecurity awareness: (1) CyberSecurity Challenges (CSC), about how to develop secure software; and (2) Cloud of Assets and Threats (CATS), about cloud security, including its shared responsibility model. It is decisive for the industry that the software is written, developed, and deployed securely. The cloud service has replaced many on-premises deployments. It is essential to enable hybrid work, turning knowledge and practice about cloud security into essential capacities for professional hybrid work. We provide the theoretical foundations for the two serious games and the overall approach. We also report and analyze more than 300 industry practitioners' training experiences from 2017 to 2023 and use this to evaluate the games. By applying serious games in the industry, among practitioners, we gain valuable experience in combining the advantage of different training modes and mitigating the disadvantage of online training. We observe the impact of serious games through a scientifically-sound approach based on the data and feedback we collected systematically from the trainers', trainees', and organization's perspectives. We show through empirical evidence that serious games are a successful approach for training conducted in hybrid work mode while providing authentic and immersed experiences that empower and raise cybersecurity awareness of current and future software professionals.

computer science, theory & methods, software engineering

Tiago Espinha Gasiba,Ulrike Lechner

DOI: https://doi.org/10.48550/arXiv.2102.10431

2021-02-21

Abstract:Many industrial IT security standards and policies mandate the usage of a secure coding methodology in the software development process. This implies two different aspects: first, secure coding must be based on a set of secure coding guidelines, and second software developers must be aware of these secure coding practices. On the one side, secure coding guidelines seems a bit like a black-art: while there exist abstract guidelines that are widely accepted, low-level secure coding guidelines for different programming languages are scarce. On the other side, once a set of secure coding guidelines is chosen, a good methodology is needed to make them known by the people which should be using them, i.e. software developers. Motivated both by the secure coding requirements from industry standards and also by the mandate to train staff on IT security by the global industry initiative "Charter of Trust", this paper presents an overview of important research questions on how to choose secure coding guidelines and on how to raise software developer awareness for secure coding using serious games.

Software Engineering

Tiago Espinha Gasiba,Ulrike Lechner,Maria Pinto-Albuquerque

DOI: https://doi.org/10.3390/info11110533

2020-11-16

Information

Abstract:Cybersecurity vulnerabilities in industrial control systems have been steadily increasing over the last few years. One possible way to address this issue is through raising the awareness (through education) of software developers, with the intent to increase software quality and reduce the number of vulnerabilities. CyberSecurity Challenges (CSCs) are a novel serious game genre that aims to raise industrial software developers’ awareness of secure coding, secure coding guidelines, and secure coding best practices. An important industry-specific requirement to consider in designing these kinds of games is related to the whole event’s duration and how much time it takes to solve each challenge individually—the challenge solve time. In this work, we present two different methods to compute the challenge solve time: one method based on data collected from the CSC dashboard and another method based on a challenge heartbeat. The results obtained by both methods are presented; both methods are compared to each other, and the advantages and limitations of each method are discussed. Furthermore, we introduce the notion of a player profile, which is derived from dashboard data. Our results and contributions aim to establish a method to measure the challenge solve time, inform the design of future challenges, and improve coaching during CSC gameplay.

Tiago Espinha Gasiba,Kristian Beckers,Santiago Suppan,Filip Rezabek

DOI: https://doi.org/10.48550/arXiv.2101.02100

2021-01-06

Software Engineering

Abstract:Teaching industry staff on cybersecurity issues is a fundamental activity that must be undertaken in order to guarantee the delivery of successful and robust products to market. Much research attention has been devoted to this topic over the last years. However, the research which has been done has not focused on developing secure code in industrial environments. In this paper we take a look at the constraints and requirements for delivering a training, by means of cybersecurity challenges, that covers secure coding topics from an industry perspective. Using requirements engineering, we aim at understanding the design requirements for such challenges. Along the way, we give details on our experience of delivering cybersecurity challenges in an industrial setting and show the outcome and lessons learned. The proposed requirements for cybersecurity challenges geared towards software developers in an industrial environment are based on systematic literature review, interviews with security experts from the industry and semi-structured evaluation of participant feedback.

Nicholas Springer,Wu-chang Feng

DOI: https://doi.org/10.48550/arXiv.2107.12566

2021-07-27

Abstract:Organizations have rapidly shifted infrastructure and applications over to public cloud computing services such as AWS (Amazon Web Services), Google Cloud Platform, and Azure. Unfortunately, such services have security models that are substantially different and more complex than traditional enterprise security models. As a result, misconfiguration errors in cloud deployments have led to dozens of well-publicized breaches. This paper describes Thunder CTF, a scaffolded, scenario-based CTF (Capture-the-Flag) for helping students learn about and practice cloud security skills. Thunder CTF is easily deployed at minimal cost and is highly extensible to allow for crowd-sourced development of new levels as security issues evolve in the cloud.

Cryptography and Security

Daniele Antonioli,Hamid Reza Ghaeini,Sridhar Adepu,Martín Ochoa,Nils Ole Tippenhauer

DOI: https://doi.org/10.48550/arXiv.1702.03067

2017-02-10

Abstract:In this work, we consider challenges relating to security for Industrial Control Systems (ICS) in the context of ICS security education and research targeted both to academia and industry. We propose to address those challenges through gamified attack training and countermeasure evaluation. We tested our proposed ICS security gamification idea in the context of the (to the best of our knowledge) first Capture-The-Flag (CTF) event targeted to ICS security called SWaT Security Showdown (S3). Six teams acted as attackers in a security competition leveraging an ICS testbed, with several academic defense systems attempting to detect the ongoing attacks. The event was conducted in two phases. The online phase (a jeopardy-style CTF) served as a training session. The live phase was structured as an attack-defense CTF. We acted as judges and we assigned points to the attacker teams according to a scoring system that we developed internally based on multiple factors, including realistic attacker models. We conclude the paper with an evaluation and discussion of the S3, including statistics derived from the data collected in each phase of S3.

Cryptography and Security

Komal Bhupendra Vekaria,Prasad Calyam,Songjie Wang,Ramya Payyavula,Matthew Rockey,Nafis Ahmed

DOI: https://doi.org/10.1109/tlt.2021.3091904

2021-06-01

IEEE Transactions on Learning Technologies

Abstract:There is an increasing trend in cloud adoption of enterprise applications in, for example, manufacturing, healthcare, and finance. Such applications are routinely subject to targeted cyberattacks, which result in significant loss of sensitive data (e.g., due to data exfiltration in advanced persistent threats) or valuable utilities (e.g., due to resource the exfiltration of power in cryptojacking). There is a critical need to train highly skilled cybersecurity professionals, who are capable of defending against such targeted attacks. In this article, we present the design, development, and evaluation of the Mizzou Cyber Range, an online platform to learn basic/advanced cyber defense concepts and perform training exercises to engender the next-generation cybersecurity workforce. Mizzou Cyber Range features flexibility, scalability, portability, and extendability in delivering cyberattack/defense learning modules to students. We detail our "research-inspired learning" and "learn–apply–create" three-phase pedagogy methodologies in the development of four learning modules that include laboratory exercises and self-study activities using realistic cloud-based application testbeds. The learning modules allow students to gain skills in using latest technologies (e.g., elastic capacity provisioning, software-defined everything infrastructure) to implement sophisticated "attack defense by pretense" techniques. Students can also use the learning modules to understand the attacker–defender game in order to create disincentives (i.e., pretense initiation) that make the attacker's tasks more difficult, costly, time consuming, and uncertain. Lastly, we show the benefits of our Mizzou Cyber Range through the evaluation of student learning using auto-grading, rank assessments with peer standing- and monitoring of students' performance via feedback from prelab evaluation surveys and postlab technical assessments.

Hootan Alavizadeh,Hooman Alavizadeh,Dong Seong Kim,Julian Jang-Jaccard,Masood Niazi Torshiz

DOI: https://doi.org/10.48550/arXiv.1904.01758

2019-04-03

Abstract:Cloud service providers offer their customers with on-demand and cost-effective services, scalable computing, and network infrastructures. Enterprises migrate their services to the cloud to utilize the benefit of cloud computing such as eliminating the capital expense of their computing need. There are security vulnerabilities and threats in the cloud. Many researches have been proposed to analyze the cloud security using Graphical Security Models (GSMs) and security metrics. In addition, it has been widely researched in finding appropriate defensive strategies for the security of the cloud. Moving Target Defense (MTD) techniques can utilize the cloud elasticity features to change the attack surface and confuse attackers. Most of the previous work incorporating MTDs into the GSMs are theoretical and the performance was evaluated based on the simulation. In this paper, we realized the previous framework and designed, implemented and tested a cloud security assessment tool in a real cloud platform named UniteCloud. Our security solution can (1) monitor cloud computing in real-time, (2) automate the security modeling and analysis and visualize the GSMs using a Graphical User Interface via a web application, and (3) deploy three MTD techniques including Diversity, Redundancy, and Shuffle on the real cloud infrastructure. We analyzed the automation process using the APIs and showed the practicality and feasibility of automation of deploying all the three MTD techniques on the UniteCloud.

Cryptography and Security

Yacong Gu,Lingyun Ying,Huajun Chai,Chu Qiao,Haixin Duan,Xing Gao

DOI: https://doi.org/10.1109/SP46215.2023.10179471

2023-01-01

Abstract:Continuous Integration (CI) is a widely-adopted software development practice for automated code integration. A typical CI workflow involves multiple independent stakeholders, including code hosting platforms (CHPs), CI platforms (CPs), and third party services. While CI can significantly improve development efficiency, unfortunately, it also exposes new attack surfaces. As the code executed by a CI task may come from a less-trusted user, improperly configured CI with weak isolation mechanisms might enable attackers to inject malicious code into victim software by triggering a CI task. Also, one insecure stakeholder can potentially affect the whole process. In this paper, we systematically study potential security threats in CI workflows with multiple stakeholders and major CP components considered. We design and develop an analysis tool, CInspector, to investigate potential vulnerabilities in seven popular CPs, when integrated with three mainstream CHPs. We find that all CPs have the risk of token leakage caused by improper resource sharing and isolation, and many of them utilize overprivileged tokens with improper validity periods. We further reveal four novel attack vectors that allow attackers to escalate their privileges and stealthy inject malicious code by executing a piece of code in a CI task. To understand the potential impact, we conduct a large-scale measurement on the three mainstream CHPs, scrutinizing over 1.69 million repositories. Our quantitative analysis demonstrates that some very popular repositories and large organizations are affected by these attacks. We have duly reported the identified vulnerabilities to CPs and received positive responses.

Yikuan Yan,Keman Huang,Michael Siegel

2024-03-03

Abstract:The growing system complexity from microservice architectures and the bilateral enhancement of artificial intelligence (AI) for both attackers and defenders presents increasing security challenges for cloud-native operations. In particular, cloud-native operators require a holistic view of the dynamic security posture for the cloud-native environment from a defense aspect. Additionally, both attackers and defenders can adopt advanced AI technologies. This makes the dynamic interaction and benchmark among different intelligent offense and defense strategies more crucial. Hence, following the multi-agent deep reinforcement learning (RL) paradigm, this research develops an agent-based intelligent security service framework (ISSF) for cloud-native operation. It includes a dynamic access graph model to represent the cloud-native environment and an action model to represent offense and defense actions. Then we develop an approach to enable the training, publishing, and evaluating of intelligent security services using diverse deep RL algorithms and training strategies, facilitating their systematic development and benchmark. The experiments demonstrate that our framework can sufficiently model the security posture of a cloud-native system for defenders, effectively develop and quantitatively benchmark different services for both attackers and defenders and guide further service optimization.

Cryptography and Security

Mst Shapna Akter,Juanjose Rodriguez-Cardenas,Hossain Shahriar,Akond Rahman,Fan Wu

DOI: https://doi.org/10.48550/arXiv.2311.16944

2023-08-14

Cryptography and Security

Abstract:The field of DevOps security education necessitates innovative approaches to effectively address the ever-evolving challenges of cybersecurity. In adopting a student-centered ap-proach, there is the need for the design and development of a comprehensive set of hands-on learning modules. In this paper, we introduce hands-on learning modules that enable learners to be familiar with identifying known security weaknesses, based on taint tracking to accurately pinpoint vulnerable code. To cultivate an engaging and motivating learning environment, our hands-on approach includes a pre-lab, hands-on and post lab sections. They all provide introduction to specific DevOps topics and software security problems at hand, followed by practicing with real world code examples having security issues to detect them using tools. The initial evaluation results from a number of courses across multiple schools show that the hands-on modules are enhancing the interests among students on software security and cybersecurity, while preparing them to address DevOps security vulnerabilities.

Marek Amanowicz,Mariusz Kamola

DOI: https://doi.org/10.3390/electronics11223835

IF: 2.9

2022-11-22

Electronics

Abstract:Protection against a growing number of increasingly sophisticated and complex cyberattacks requires the real-time acquisition of up-to-date information on identified threats and their potential impact on an enterprise's operation. However, the complexity and variety of IT/OT infrastructure interdependencies and the business processes and services it supports significantly complicate this task. Hence, we propose a novel solution here that provides security awareness of critical infrastructure entities. Appropriate measures and methods for comprehensively managing cyberspace security and resilience in an enterprise are provided, and these take into account the aspects of confidentiality, availability, and integrity of the essential services offered across the underlying business processes and IT infrastructure. The abstraction of these entities as business objects is proposed to uniformly address them and their interdependencies. In this paper, the concept of modeling the cyberspace of interdependent services, business processes, and systems and the procedures for assessing and predicting their attributes and dynamic states are depicted. The enterprise can build a model of its operation with the proposed formalism, which takes it to the first level of security awareness. Through dedicated simulation procedures, the enterprise can anticipate the evolution of actual or hypothetical threats and related risks, which is the second level of awareness. Finally, simulation-driven analyses can serve in guiding operations toward improvement with respect to resilience and threat protection, bringing the enterprise to the third level of awareness. The solution is also applied in the case study of an essential service provider.

engineering, electrical & electronic,computer science, information systems,physics, applied

Nestoras Chouliaras,Ioanna Kantzavelou,Leandros Maglaras,Grammati Pantziou,Mohamed Amine Ferrag

DOI: https://doi.org/10.7717/peerj-cs.1574

2023-09-07

PeerJ Computer Science

Abstract:Cyberattacks, particularly those targeting systems that store or handle sensitive data, have become more sophisticated in recent years. To face increasing threats, continuous capacity building and digital skill competence are needed. Cybersecurity hands-on training is essential to upskill cybersecurity professionals. However, the cost of developing and maintaining a cyber range platform is high. Setting up an ideal digital environment for cybersecurity exercises can be challenging and often need to invest a lot of time and system resources in this process. In this article, we present a lightweight cyber range platform that was developed under the open-source cloud platform OpenStack, based on Docker technology using IaC methodology. Combining the advantages of Docker technology, DevOps automation capabilities, and the cloud platform, the proposed cyber range platform achieves the maximization of performance and scalability while reducing costs and resources.

computer science, information systems, artificial intelligence, theory & methods

Aditya Saligrama,Cody Ho,Benjamin Tripp,Michael Abbott,Christos Kozyrakis

2024-10-02

Abstract:Making successful use of cloud computing for deploying scalable web applications requires nuanced approaches to both system design and deployment methodology, involving reasoning about the elasticity, cost, and security models of cloud services. Students commonly interact with cloud abstractions early in their technical careers, including during internships and academic research. Building cloud-native applications without a firm understanding of the fundamentals of cloud engineering can leave students susceptible to cost and security pitfalls common to cloud platforms. Yet, cloud computing is not commonly taught at the undergraduate level, because the technology and practices behind modern cloud deployment, such as containerization and infrastructure-as-code (IaC), have only recently matured into a set of general principles independent from specific providers' offerings. To address this gap, we designed an undergraduate-level course around these principles that framed cloud infrastructure deployment as a software engineering practice in support of scalable web applications, emphasizing the value of both cloud deployment and application design skills in building robust cloud-native systems. Our course featured a number of hands-on assignments that gave students experience with modern, best-practice concepts and tools such as IaC, containerization, observability, serverless computing, and continuous integration and deployment. We describe the design of the course, our experience teaching its initial offering in Winter 2024, and provide our reflections on what worked well and potential areas for improvement. Our course material is publicly available at <a class="link-external link-https" href="https://infracourse.cloud" rel="external noopener nofollow">this https URL</a>.

Computers and Society