research-article

Security Injections@Towson: Integrating Secure Coding into Introductory Computer Science Courses

Authors:
Blair Taylor

Towson University, MD

Towson University, MD
View Profile

,
Siddharth Kaza

Towson University, MD

Towson University, MD
View Profile

Authors Info & Claims

ACM Transactions on Computing Education Volume 16 Issue 4Article No.: 16pp 1–20https://doi.org/10.1145/2897441

Published:09 June 2016Publication History

ACM Transactions on Computing Education

Abstract

Despite the critical societal importance of computer security, security is not well integrated into the undergraduate computing curriculum. Security classes and tracks treat security issues as separable topics as opposed to fundamental issues that pervade all aspects of software development. Recently, there has been an increasing focus on security as a cross-cutting concern across the computer science curriculum. The Security Injections@Towson project provides resources and effective strategies to incorporate secure coding in the early programming classes. We describe the development, assessment, and dissemination of more than 40 lab-based security injection modules designed to be injected into courses with minimal impact on the curriculum. We include assessment results from 1,135 students across five diverse institutions demonstrating that the security injections help students retain, comprehend, and apply secure coding concepts in the introductory programming courses.

References

ACM and IEEE-CS. 2013. Computer Science Curricula 2013 (CS2013). Retrieved April 27, 2016, from http://ai.stanford.edu/users/sahami/CS2013/.Google Scholar
Nicoletta Adamo-Villani, Marcus Oania, and Stephen Cooper. 2012. Using a serious game approach to teach secure coding in introductory programming: Development and initial findings. Journal of Educational Technology and Systems 41, 2, 107--131.Google ScholarCross Ref
Yan Bai and Xinli Wang. 2014. ITSEED. In Proceedings of the 45th ACM Technical Symposium on Computer Science Education (SIGCSE’14). ACM, New York, NY, 739.Google Scholar
D. Paul Benjamin, Charles Border, Robert Montante, and Paul J. Wagner. 2003. Undergraduate cyber security course projects. ACM SIGCSE Bulletin 35, 1, 351--352. Google ScholarDigital Library
Matt Bishop. 2004. Introduction to Computer Security. Addison-Wesley. Google ScholarDigital Library
Matt Bishop. 2002. Computer Security: Art and Science. Addison-Wesley.Google ScholarDigital Library
Matt Bishop. 2003. What is computer security? IEEE Security and Privacy Magazine 1, 1, 67--69. DOI:http://dx.doi.org/10.1109/MSECP.2003.1176998 Google ScholarDigital Library
Matt Bishop. 2006. Teaching Assurance Using Checklists. Retrieved April 27, 2016, from http://nob.cs. ucdavis.edu/bishop/talks/2006-wecs/wecs2006/index.html.Google Scholar
Matt Bishop and Deborah A. Frincke. 2005. Teaching secure programming. IEEE Security and Privacy Magazine 3, 5, 54--56. DOI:http://dx.doi.org/10.1109/MSP.2005.133 Google ScholarDigital Library
B. Bloom. 1956. Taxonomy of Educational Objectives: The Classification of Educational Goals. Handbook 1: Cognitive Domain. Longman.Google Scholar
Diana Burley and Matt Bishop. 2011. Summit on Education in Secure Software: Final Report. Retrieved April 27, 2016, from https://www.gwu.edu/elp/SESS&percnt;20Report&percnt;20Final_June2011.pdf.Google Scholar
James Francis Cain. 2010. Computer Science Education: Secure Software. Proquest, Umi Dissertation Publishing.Google Scholar
Carnegie Mellon. 2015. Principles of Learning. Retrieved April 27, 2016, from https://www.cmu.edu/teaching/principles/learning.html.Google Scholar
Ankur Chattopadhyay. 2015. Beware of input buffer misbehavior and make your code behave: A nifty hands-on assignment on secure coding at the CS0 and CS1 levels: Nifty assignment. Journal of Computing Sciences in Colleges 30, 4, 118. Google ScholarDigital Library
Li-Chiou Chen. 2010. Secure Web development teaching modules. In Proceedings of the Americas Conference on Information Systems (AMCIS’10).Google Scholar
Sam Chung, Leo Hansel, Yan Bai, Elizabeth Moore, Carol Taylor, Martha Crosby, Rachelle Heller, Viatcheslav Popovsky, and Barbara Endicott-Popovsky. 2014. What approaches work best for teaching secure coding practices? In Proceedings of the 2014 HUIC Education and STEM Conference.Google Scholar
CLICS. 2005. CLICS: A Computational Laboratory for Information and Computer Security. Retrieved July 14, 2015, from http://www.nsf.gov/awardsearch/showAward?AWD_ID=0309818.Google Scholar
W. Conklin and G. Dietrich. 2007. Secure software engineering: A new paradigm. In Proceedings of the 40th Hawaii International Conference in System Sciences (HICCS’07). 272. Google ScholarDigital Library
Pradeep Dass and Robert Yager. 2009. Professional development of science teachers: History of reform and contributions of the STS-based Iowa Chautauqua Program. Science Education Review 8, 3, 99--111.Google Scholar
Jim Davis and Melissa Dark. 2003. Teaching students to design secure systems. IEEE Security and Privacy Magazine 1, 2, 56--58. Google ScholarDigital Library
Will Dietz, Peng Li, John Regehr, and Vikram Adve. 2012. Understanding integer overflow in C/C++. In Proceedings of the 2012 International Conference on Software Engineering (ICSE’12). Google ScholarDigital Library
W. Du and R. Wang. 2008. SEED: A suite of instructional laboratories for computer security education. Journal on Educational Resources in Computing 8, 1, 5. Google ScholarDigital Library
Wenliang Du. 2015. SEED labs. In Proceedings of the 46th ACM Technical Symposium on Computer Science Education (SIGCSE’15). ACM, New York, NY, 704. Google ScholarDigital Library
A. Gawande. 2009. The Checklist Manifesto: How to Get Things Right. Metropolitan Books.Google Scholar
D. P. Gilliam, T. L. Wolfe, J. S. Sherif, and M. Bishop. 2003. Software security checklist for the software life cycle. In Proceedings of the 12th IEEE International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE’03). IEEE, Los Alamitos, CA, 243--248. DOI:http://dx.doi.org/10.1109/ENABL.2003.1231415 Google ScholarDigital Library
Mark Graff and Kenneth R. Van Wyk. 2003. Secure Coding: Principles and Practices. O’Reilly Media. Google ScholarDigital Library
Minzhe Guo, Prabir Bhattacharya, Kai Qian, Chia-Tien Dan Lo, and Xi He. 2014. Enhancing the information assurance and security (IAS) in CS education with mobile-device based hands-on labs. In Proceedings of the 2014 Conference on Innovation and Technology in Computer Science Education (ITiCSE’14). ACM, New York, NY, 343. Google ScholarDigital Library
W. Scott Harrison, Nadine Hanebutte, and Jim Alves-Foss. 2006. Programming education in the era of the Internet: A paradigm shift. In Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS’06). IEEE, Los Alamitos, CA, 219.2. Google ScholarDigital Library
M. Howard and D. LeBlanc. 2003. Writing Secure Code. Microsoft Press. Google ScholarDigital Library
M. Howard, D. LeBlanc, and J. Viega. 2005. 19 Deadly Sins of Software Security. McGraw-Hill Osborne Media. Google ScholarDigital Library
Intel. 2015. Intel Security Curricula. Retrieved July 7, 2015 from http://www.intel.com/content/www/us/en/education/university/security-program/curricula.html.Google Scholar
C. E. Irvine. 1998. Integrating security into the curriculum. Computer 31, 12, 25--30. DOI:http://dx.doi.org/10.1109/2.735847 Google ScholarDigital Library
Orlando Karam and Svetlana Peltsverger. 2009. Teaching with security in mind. In Proceedings of the 47th Annual Southeast Regional Conference (ACM-SE 47). ACM, New York, NY, Article No. 68. DOI:http://dx.doi.org/10.1145/1566445.1566536 Google ScholarDigital Library
Siddharth Kaza, Blair Taylor, Harry Hochheiser, Shiva Azadegan, M. O’Leary, and Claude F. Turner. 2010. Injecting security in the curriculum—experiences in effective dissemination and assessment design. In Proceedings of the 14th Colloquium for Information Systems Security Education (CISSE’10). 8.Google Scholar
J. R. Landis and G. G Koch. 1977. The measurement of observer agreement for categorical data. Biometrics 33, 1, 159--174.Google ScholarCross Ref
Cathie LeBlanc and Evelyn Stiller. 2004. Teaching computer security at a small college. ACM SIGCSE Bulletin 36, 1, 407. DOI:http://dx.doi.org/10.1145/1028174.971439 Google ScholarDigital Library
J. W. Little. 1993. Teachers’ professional development in a climate of educational reform. Educational Evaluation and Policy Analysis 15, 2, 129--151.Google Scholar
Chad Mano, Linda DuHadway, and Aaron Striegel. 2006. A case for instilling security as a core programming skill. In Proceedings of the 36th Annual Conference on Frontiers in Education. IEEE, Los Alamitos, CA, 13--18. DOI:http://dx.doi.org/10.1109/FIE.2006.322347Google ScholarCross Ref
Donald G. Marks and Michael Stinson. 2007. Security trumps efficiency: Putting it into the curriculum. Journal of Computing Sciences in Colleges 24, 4, 162--169. Google ScholarDigital Library
J. J. McConnell. 1996. Active Learning and Its Use in Computer Science. In Proceedings of the 1st Conference on Integrating Technology into Computer Science Education (ITiCSE’96). 52--54. Google ScholarDigital Library
G. McGraw. 2004. Software Security. Retrieved April 27, 2016, from https://buildsecurityin.us-cert.gov/sites/default/files/bsi1-swsec_0.pdf.Google ScholarDigital Library
Gary McGraw. 2006. Software Security: Building Security In. Addison-Wesley Professional. Google ScholarDigital Library
Gary McGraw. 2008. Silver Bullet talks with Matt Bishop. IEEE Security and Privacy Magazine 6, 6, 6--10. DOI:http://dx.doi.org/10.1109/MSP.2008.153 Google ScholarDigital Library
Microsoft. 2002. Memo from Bill Gates. Company Memo.Google Scholar
Paul Mullins, Jim Wolfe, Michael Fry, Erik Wynters, William Calhoun, Robert Montante, and William Oblitey. 2002. Panel on integrating security concepts into existing computer courses. In Proceedings of the 33rd SIGCSE Technical Symposium on Computer Science Education (SIGCSE’02). ACM, New York, NY, 365. DOI:http://dx.doi.org/10.1145/563340.563480 Google ScholarDigital Library
Kara Nance, Brian Hay, Ronald Dodge, Alex Seazzu, and Steve Burd. 2009. Virtual laboratory environments: Methodologies for educating cybersecurity researchers. Methodological Innovations Online 4, 3, 3--14.Google Scholar
V. Lakshmi Narasimhan and Manik Lal Das. 2008. Data and information security (DIS) for BS and MS programs. ACM SIGCSE Bulletin 40, 4, 95. DOI:http://dx.doi.org/10.1145/1473195.1473230 Google ScholarDigital Library
Linda Null. 2004. Integrating security across the computer science curriculum. Journal of Computing Sciences in Colleges 19, 5, 170--178. Google ScholarDigital Library
OWASP. 2015. The Open Web Application Security Project. Retrieved April 27, 2016, from https://www.owasp.org/index.php/Main_Page.Google Scholar
Lance C. Pérez, Stephen Cooper, Elizabeth K. Hawthorne, Susanne Wetzel, Joel Brynielsson, Asim Gencer Gokce, John Impagliazzo, et al. 2011. Information assurance education in two- and four-year institutions. In Proceedings of the 16th Annual Conference Reports on Innovation and Technology in Computer Science Education (ITiCSE-WGR’11). ACM, New York, NY, 39. DOI:http://dx.doi.org/10.1145/2078856.2078860 Google ScholarDigital Library
Luiz Felipe Perrone, Maurice Aburdene, and Xiannong Meng. 2005. Approaches to undergraduate instruction in computer security. In Proceedings of the 2005 American Society for Engineering Education Annual Conference and Exposition.Google Scholar
Venkat Pothamsetty. 2005. Where security education is lacking. In Proceedings of the 2nd Annual Conference on Information Security Curriculum Development (InfoSecCD’05). ACM, New York, New York, 54. DOI:http://dx.doi.org/10.1145/1107622.1107635 Google ScholarDigital Library
L. Ray and J. Yang. 2011. Beyond the security track: Embed security education across undergraduate computing curricula using M-thread approach. International Journal of Computer Science and Network Security 11, 8, 131.Google Scholar
SANS. 2015. Common Weakness Enumeration. Retrieved January 1, 2015, from https://www.sans.org/top25-software-errors/.Google Scholar
D. Schweitzer and W. Brown. 2009. Using visualization to teach security. Journal of Computing Sciences in Colleges 24, 5, 143--150. Google ScholarDigital Library
Robert Seacord. 2005. Secure Coding in C and C++ (2nd ed.). Addison-Wesley. Google ScholarDigital Library
Robert C. Seacord. 2011. The Top 10 Secure Coding Practices. Retrieved April 27, 2016, from https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices.Google Scholar
Ann E. Sobel and Gary McGraw. 2010. Interview: Software Security in the Real World. Computer 43, 9, 47--53. Google ScholarDigital Library
Michael L. Stamat and Jeffrey W. Humphries. 2009. Training ≠ education. In Proceedings of the 14th Western Canadian Conference on Computing Education (WCCCE’09). ACM, New York, NY, 116. DOI:http://dx.doi.org/10.1145/1536274.1536308Google Scholar
Curtis Steward Jr., Luay A. Wahsheh, Aftab Ahmad, Jonathan M. Graham, Cheryl V. Hinds, Aurelia T. Williams, and Sandra J. DeLoatch. 2012. Software security: The dangerous afterthought. In Proceedings of the 2012 9th International Conference on Information Technology: New Generations (ITNG’12). IEEE, Los Alamitos, CA, 815--818. DOI:http://dx.doi.org/10.1109/ITNG.2012.60 Google ScholarDigital Library
Blair Taylor and Shiva Azadegan. 2006. Threading secure coding principles and risk analysis into the undergraduate computer science and information systems curriculum. In Proceedings of the 3rd Annual Conference on Information Security Curriculum Development. ACM, New York, NY, 24--29. Google ScholarDigital Library
Blair Taylor and Shiva Azadegan. 2007a. Teaching security through active learning. In Proceedings of Frontiers in Education: Computer Science and Engineering. 1--6.Google Scholar
Blair Taylor and Shiva Azadegan. 2007b. Using security checklists and scorecards in CS curriculum. In Proceedings of the National Colloquium for Information Systems Security Education. 4--9.Google Scholar
Blair Taylor and Shiva Azadegan. 2008. Moving beyond security tracks: Integrating security in CS0 and CS1. ACM SIGCSE Bulletin 40, 1, 320--324. Google ScholarDigital Library
B. Taylor, M. Bishop, and D. Burley. 2012. Teaching secure coding: Report from summit on education in secure software. In Proceedings of the 43rd ACM Technical Symposium on Computer Science Education (SIGCSE’12). Google ScholarDigital Library
B. Taylor, S. Kaza, B. Chu, M. Doyle, and K. C. Du. 2010. Security in the CS curriculum (BOF). In Proceedings of the 41st ACM Technical Symposium on Computer Science Education (SIGCSE’10).Google Scholar
E. Thompson, A. Luxton-Reilly, J. L. Whalley, M. Hu, and P. Robbins. 2008. Bloom's taxonomy for CS assessment. In Proceedings of the 10th Conference on Australasian Computing Education, Volume 78. 155--161. Google ScholarDigital Library
Katrina Tsipenyuk and Gary McGraw. 2005. Seven pernicious kingdoms: A taxonomy of software security errors. IEEE Security and Privacy 3, 6, 81--84. DOI:http://dx.doi.org/83900927-3F85-4A31-B0A7-5EDD585CF7F3 Google ScholarDigital Library
Rayford Vaughn. 2000. Application of security to the computing science classroom. In Proceedings of the 31st SIGCSE Technical Symposium on Computer Science Education (SIGCSE’00). 90--94. Google ScholarDigital Library
John Viega and Gary McGraw. 2001. Building Secure Software: How to Avoid Security Problems the Right Way. Addison-Wesley Professional Computing Series. Google ScholarDigital Library
John Viega and Gary McGraw. 2002. Building Secure Software: How to Avoid Security Problems the Right Way. Addison-Wesley. Google ScholarDigital Library
James Walden and Charles E. Frank. 2006. Secure software engineering teaching modules. In Proceedings of the 3rd Annual Conference on Information Security Curriculum Development (InfoSecCD’06). ACM, New York, NY, 19. Google ScholarDigital Library
James Walden, Charles E. Frank, and Laurie Werner. 2005. Secure programming workshop: How to keep our students from causing buffer overflows. J. Comput. Sci. Coll. 21, 1 (October 2005), 134--135. Google ScholarDigital Library
Richard Weiss and Jen Mache. 2011. Teaching security labs with web applications, buffer overflows and firewall configurations. Journal of Computing Sciences in Colleges 27, 1, 163--170. Google ScholarDigital Library
Georgory White and Georgory Nordstorm. 1996. Security across the curriculum: Using computer security to teach computer science principles. In Proceedings of the 19th National Information Systems Security Conference.Google Scholar
White House. 2009. Remarks by the President on Securing Our Nation's Cyber Infrastructure. Retrieved April 27, 2016, from https://www.whitehouse.gov/video/President-Obama-on-Cybersecurity#transcript.Google Scholar
Kenneth A. Williams, Xiaohong Yuan, Huiming Yu, and Kelvin Bryant. 2014. Teaching secure coding for beginning programmers. Journal of Computing Sciences in Colleges 29, 5, 91--99. Google ScholarDigital Library
Brent Wilson, Jim Aman, and Josee Bourget. 2008. Wanted: Trained security specialists. Journal of Computing Sciences in Colleges 24, 2, 50--55. Google ScholarDigital Library
Li Yang. 2015a. Bolstering Security Education Through Integration of Research and Education on Browser Security. Retrieved April 27, 2016, from http://www.utc.edu/faculty/li-yang/browsersecurity.php.Google Scholar
Li Yang. 2015b. Capacity Building Through Curriculum and Faculty Development on Mobile Security. Retrieved April 27, 2016, from from http://www.utc.edu/faculty/li-yang/mobilesecurity.php.Google Scholar
A. Yasinsac and J. T. McDonald. 2006. Foundations for security aware software development education. In Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS’06). IEEE, Los Alamitos, CA, 219c. DOI:http://dx.doi.org/10.1109/HICSS.2006.187 Google ScholarDigital Library
Yves Younan. 2012. 25 Years of Vulnerabilities: 1988-2012. Retrieved April 27, 2016, from http://www.rsaconference.com/events/us13/agenda/sessions/132/25-years-of-vulnerabilities-1988--2012.Google Scholar
Xiaohong Yuan, Kelvin S. Bryant, Kenneth Williams, and Jinsheng Xu. 2015. Integrating mobile computing and security into a computer science curriculum (abstract only). In Proceedings of the 46th ACM Technical Symposium on Computer Science Education (SIGCSE’15). ACM, New York, New York, 686. DOI:http://dx.doi.org/10.1145/2676723.2691902 Google ScholarDigital Library

Index Terms

Security Injections@Towson: Integrating Secure Coding into Introductory Computer Science Courses
1. Social and professional topics
  1. Professional topics
    1. Computing education
      1. Computing education programs
        Computer science education

Recommendations

Introducing Secure Coding in CS0, CS1, and CS2. (Abstract Only)
SIGCSE '15: Proceedings of the 46th ACM Technical Symposium on Computer Science Education

The CS 2013 curriculum includes Information Assurance and Security as a pervasive knowledge area. However, introducing security in lower level courses is challenging because of lack of appropriate teaching resources and training. This workshop will ...
Read More
Introducing Secure Coding in CS0, CS1, and CS2 (Abstract Only)
SIGCSE '16: Proceedings of the 47th ACM Technical Symposium on Computing Science Education

The CS 2013 curriculum includes Information Assurance and Security as a pervasive knowledge area. However, introducing security in lower level courses is challenging because of lack of appropriate teaching resources and training. This workshop, part of ...
Read More
Introducing secure coding in CS0, CS1, and CS2 (abstract only)
SIGCSE '14: Proceedings of the 45th ACM technical symposium on Computer science education

The CS 2013 curriculum includes Information Assurance and Security as a pervasive knowledge area. However, introducing security in lower level courses is challenging because of lack of appropriate teaching resources and training. This workshop will ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Transactions on Computing Education Volume 16, Issue 4
October 2016
120 pages
EISSN:1946-6226
DOI:10.1145/2954340
Editor:
Chris Hundhausen
Washington State University, USA
Issue’s Table of Contents
Copyright © 2016 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 9 June 2016
- Revised: 1 February 2016
- Accepted: 1 February 2016
- Received: 1 July 2015
Published in toce Volume 16, Issue 4

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
CS0
CS1
CS2
Security injections
secure coding
security integration
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 12
  Total Citations
  View Citations
- 504
  Total Downloads
- Downloads (Last 12 months)47
- Downloads (Last 6 weeks)5
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Security Injections@Towson: Integrating Secure Coding into Introductory Computer Science Courses

ACM Transactions on Computing Education

Abstract

References

Cited By

Index Terms

Recommendations

Introducing Secure Coding in CS0, CS1, and CS2. (Abstract Only)

Introducing Secure Coding in CS0, CS1, and CS2 (Abstract Only)

Introducing secure coding in CS0, CS1, and CS2 (abstract only)