ABSTRACT
Many of the security vulnerabilities common in today's software can be prevented with standard secure coding practices. Computer science students who will become the developers of that software need to learn about those practices so they can prevent such vulnerabilities. Many computing programs are addressing this need through additional lectures, elective courses, or more holistic approaches to integrate security across curriculums. We are exploring a complementary approach, integrating secure coding education into the IDE to provide a learning opportunity in the context of writing code. In this paper, we report on two field studies using an IDE tool in an advanced Web programming course. Our results indicate that the tool can increase students' awareness and knowledge of secure programming, but to be most effective, instructors may need to incentivize its use through in-class methods and careful timing of its introduction.
- S. Azadegan, M. Lavine, M. O'Leary, A. Wijesinha, and M. Zimand. An undergraduate track in computer security. In Proceedings of the 8th annual conference on Innovation and technology in computer science education, ITiCSE '03, pages 207--210, 2003. Google ScholarDigital Library
- M. Bishop and D. Frincke. Teaching secure programming. IEEE Security Privacy, 3(5):54--56, 2005. Google ScholarDigital Library
- B. J. Brown Leonard. Integrative learning as a developmental process: A grounded theory of college students' experiences in integrative studies. ProQuest, 2007.Google Scholar
- D. L. Burley and M. Bishop. Summit on education in secure software: Final report. Technical Report CSE-2011-15, Department of Computer Science, University of California at Davis, Davis, June 2011.Google Scholar
- J. Davis and M. Dark. Teaching students to design secure systems. Security & Privacy, IEEE, 1(2):56--58, 2003. Google ScholarDigital Library
- National Security Agency (NSA) Central Security Service (CSS). Centers of academic excellence institutions. http://www.nsa.gov/ia/academic_outreach/nat_cae/institutions.shtml, 2013.Google Scholar
- W. H. Newell. Professionalizing interdisciplinarity: Literature review and research agenda. Interdisciplinarity: Essays from the literature, pages 529--563, 1998.Google Scholar
- OWASP Foundation. OWASP enterprise security api. https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API, 2013.Google Scholar
- OWASP Foundation. Top ten project. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project, Jun 2013.Google Scholar
- L. F. Perrone, M. Aburdene, and X. Meng. Approaches to undergraduate instruction in computer security. In Proceedings of the American Society for Engineering Education Annual Conference and Exhibition, ASEE, 2005.Google Scholar
- B. Taylor and S. Azadegan. Using security checklists and scorecards in cs curriculum. In National Colloquium for Information Systems Security Education, pages 4--9. Citeseer, 2007.Google Scholar
- B. Taylor and S. Azadegan. Moving beyond security tracks: Integrating security in cs0 and cs1. SIGCSE Bull., 40(1):320--324, Mar 2008. Google ScholarDigital Library
- R. B. Vaughn Jr. Application of security to the computing science classroom. In ACM SIGCSE Bulletin, volume 32, pages 90--94. ACM, 2000. Google ScholarDigital Library
- J. Xie, B. Chu, H. R. Lipford, and J. T. Melton. ASIDE: IDE support for web application security. In Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC '11, pages 267--276, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- J. Zhu, H. R. Lipford, and B. Chu. Interactive support for secure programming education. In Proceeding of the 44th ACM technical symposium on Computer science education, SIGCSE '13, pages 687--692, 2013. Google ScholarDigital Library
Index Terms
Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course
Recommendations
Evaluating Two Methods for Integrating Secure Programming Education
SIGCSE '18: Proceedings of the 49th ACM Technical Symposium on Computer Science EducationSecurity vulnerabilities are still prevalent in today's software, yet many can be prevented with standard secure programming techniques. Thus, educators of future developers need to teach students not just how to program, but how to program securely. ...
Interactive support for secure programming education
SIGCSE '13: Proceeding of the 44th ACM technical symposium on Computer science educationSoftware flaws are a root cause of many of today's information security vulnerabilities. Current curricula emphasis on traditional information security issues does not address this root cause. We propose educating students on secure programming ...
A Web-Based IDE for Teaching with Any Language (Abstract Only)
SIGCSE '17: Proceedings of the 2017 ACM SIGCSE Technical Symposium on Computer Science EducationThis workshop introduces participants to CS50 IDE (cs50.io), a web-based integrated development environment based on Amazon's Cloud9 (c9.io). Not only does the IDE enable students to work on programming projects within a browser, without need for local ...
Comments