Abstract
Despite the critical societal importance of computer security, security is not well integrated into the undergraduate computing curriculum. Security classes and tracks treat security issues as separable topics as opposed to fundamental issues that pervade all aspects of software development. Recently, there has been an increasing focus on security as a cross-cutting concern across the computer science curriculum. The Security Injections@Towson project provides resources and effective strategies to incorporate secure coding in the early programming classes. We describe the development, assessment, and dissemination of more than 40 lab-based security injection modules designed to be injected into courses with minimal impact on the curriculum. We include assessment results from 1,135 students across five diverse institutions demonstrating that the security injections help students retain, comprehend, and apply secure coding concepts in the introductory programming courses.
- ACM and IEEE-CS. 2013. Computer Science Curricula 2013 (CS2013). Retrieved April 27, 2016, from http://ai.stanford.edu/users/sahami/CS2013/.Google Scholar
- Nicoletta Adamo-Villani, Marcus Oania, and Stephen Cooper. 2012. Using a serious game approach to teach secure coding in introductory programming: Development and initial findings. Journal of Educational Technology and Systems 41, 2, 107--131.Google ScholarCross Ref
- Yan Bai and Xinli Wang. 2014. ITSEED. In Proceedings of the 45th ACM Technical Symposium on Computer Science Education (SIGCSE’14). ACM, New York, NY, 739.Google Scholar
- D. Paul Benjamin, Charles Border, Robert Montante, and Paul J. Wagner. 2003. Undergraduate cyber security course projects. ACM SIGCSE Bulletin 35, 1, 351--352. Google ScholarDigital Library
- Matt Bishop. 2004. Introduction to Computer Security. Addison-Wesley. Google ScholarDigital Library
- Matt Bishop. 2002. Computer Security: Art and Science. Addison-Wesley.Google ScholarDigital Library
- Matt Bishop. 2003. What is computer security? IEEE Security and Privacy Magazine 1, 1, 67--69. DOI:http://dx.doi.org/10.1109/MSECP.2003.1176998 Google ScholarDigital Library
- Matt Bishop. 2006. Teaching Assurance Using Checklists. Retrieved April 27, 2016, from http://nob.cs. ucdavis.edu/bishop/talks/2006-wecs/wecs2006/index.html.Google Scholar
- Matt Bishop and Deborah A. Frincke. 2005. Teaching secure programming. IEEE Security and Privacy Magazine 3, 5, 54--56. DOI:http://dx.doi.org/10.1109/MSP.2005.133 Google ScholarDigital Library
- B. Bloom. 1956. Taxonomy of Educational Objectives: The Classification of Educational Goals. Handbook 1: Cognitive Domain. Longman.Google Scholar
- Diana Burley and Matt Bishop. 2011. Summit on Education in Secure Software: Final Report. Retrieved April 27, 2016, from https://www.gwu.edu/elp/SESS%20Report%20Final_June2011.pdf.Google Scholar
- James Francis Cain. 2010. Computer Science Education: Secure Software. Proquest, Umi Dissertation Publishing.Google Scholar
- Carnegie Mellon. 2015. Principles of Learning. Retrieved April 27, 2016, from https://www.cmu.edu/teaching/principles/learning.html.Google Scholar
- Ankur Chattopadhyay. 2015. Beware of input buffer misbehavior and make your code behave: A nifty hands-on assignment on secure coding at the CS0 and CS1 levels: Nifty assignment. Journal of Computing Sciences in Colleges 30, 4, 118. Google ScholarDigital Library
- Li-Chiou Chen. 2010. Secure Web development teaching modules. In Proceedings of the Americas Conference on Information Systems (AMCIS’10).Google Scholar
- Sam Chung, Leo Hansel, Yan Bai, Elizabeth Moore, Carol Taylor, Martha Crosby, Rachelle Heller, Viatcheslav Popovsky, and Barbara Endicott-Popovsky. 2014. What approaches work best for teaching secure coding practices? In Proceedings of the 2014 HUIC Education and STEM Conference.Google Scholar
- CLICS. 2005. CLICS: A Computational Laboratory for Information and Computer Security. Retrieved July 14, 2015, from http://www.nsf.gov/awardsearch/showAward?AWD_ID=0309818.Google Scholar
- W. Conklin and G. Dietrich. 2007. Secure software engineering: A new paradigm. In Proceedings of the 40th Hawaii International Conference in System Sciences (HICCS’07). 272. Google ScholarDigital Library
- Pradeep Dass and Robert Yager. 2009. Professional development of science teachers: History of reform and contributions of the STS-based Iowa Chautauqua Program. Science Education Review 8, 3, 99--111.Google Scholar
- Jim Davis and Melissa Dark. 2003. Teaching students to design secure systems. IEEE Security and Privacy Magazine 1, 2, 56--58. Google ScholarDigital Library
- Will Dietz, Peng Li, John Regehr, and Vikram Adve. 2012. Understanding integer overflow in C/C++. In Proceedings of the 2012 International Conference on Software Engineering (ICSE’12). Google ScholarDigital Library
- W. Du and R. Wang. 2008. SEED: A suite of instructional laboratories for computer security education. Journal on Educational Resources in Computing 8, 1, 5. Google ScholarDigital Library
- Wenliang Du. 2015. SEED labs. In Proceedings of the 46th ACM Technical Symposium on Computer Science Education (SIGCSE’15). ACM, New York, NY, 704. Google ScholarDigital Library
- A. Gawande. 2009. The Checklist Manifesto: How to Get Things Right. Metropolitan Books.Google Scholar
- D. P. Gilliam, T. L. Wolfe, J. S. Sherif, and M. Bishop. 2003. Software security checklist for the software life cycle. In Proceedings of the 12th IEEE International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE’03). IEEE, Los Alamitos, CA, 243--248. DOI:http://dx.doi.org/10.1109/ENABL.2003.1231415 Google ScholarDigital Library
- Mark Graff and Kenneth R. Van Wyk. 2003. Secure Coding: Principles and Practices. O’Reilly Media. Google ScholarDigital Library
- Minzhe Guo, Prabir Bhattacharya, Kai Qian, Chia-Tien Dan Lo, and Xi He. 2014. Enhancing the information assurance and security (IAS) in CS education with mobile-device based hands-on labs. In Proceedings of the 2014 Conference on Innovation and Technology in Computer Science Education (ITiCSE’14). ACM, New York, NY, 343. Google ScholarDigital Library
- W. Scott Harrison, Nadine Hanebutte, and Jim Alves-Foss. 2006. Programming education in the era of the Internet: A paradigm shift. In Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS’06). IEEE, Los Alamitos, CA, 219.2. Google ScholarDigital Library
- M. Howard and D. LeBlanc. 2003. Writing Secure Code. Microsoft Press. Google ScholarDigital Library
- M. Howard, D. LeBlanc, and J. Viega. 2005. 19 Deadly Sins of Software Security. McGraw-Hill Osborne Media. Google ScholarDigital Library
- Intel. 2015. Intel Security Curricula. Retrieved July 7, 2015 from http://www.intel.com/content/www/us/en/education/university/security-program/curricula.html.Google Scholar
- C. E. Irvine. 1998. Integrating security into the curriculum. Computer 31, 12, 25--30. DOI:http://dx.doi.org/10.1109/2.735847 Google ScholarDigital Library
- Orlando Karam and Svetlana Peltsverger. 2009. Teaching with security in mind. In Proceedings of the 47th Annual Southeast Regional Conference (ACM-SE 47). ACM, New York, NY, Article No. 68. DOI:http://dx.doi.org/10.1145/1566445.1566536 Google ScholarDigital Library
- Siddharth Kaza, Blair Taylor, Harry Hochheiser, Shiva Azadegan, M. O’Leary, and Claude F. Turner. 2010. Injecting security in the curriculum—experiences in effective dissemination and assessment design. In Proceedings of the 14th Colloquium for Information Systems Security Education (CISSE’10). 8.Google Scholar
- J. R. Landis and G. G Koch. 1977. The measurement of observer agreement for categorical data. Biometrics 33, 1, 159--174.Google ScholarCross Ref
- Cathie LeBlanc and Evelyn Stiller. 2004. Teaching computer security at a small college. ACM SIGCSE Bulletin 36, 1, 407. DOI:http://dx.doi.org/10.1145/1028174.971439 Google ScholarDigital Library
- J. W. Little. 1993. Teachers’ professional development in a climate of educational reform. Educational Evaluation and Policy Analysis 15, 2, 129--151.Google Scholar
- Chad Mano, Linda DuHadway, and Aaron Striegel. 2006. A case for instilling security as a core programming skill. In Proceedings of the 36th Annual Conference on Frontiers in Education. IEEE, Los Alamitos, CA, 13--18. DOI:http://dx.doi.org/10.1109/FIE.2006.322347Google ScholarCross Ref
- Donald G. Marks and Michael Stinson. 2007. Security trumps efficiency: Putting it into the curriculum. Journal of Computing Sciences in Colleges 24, 4, 162--169. Google ScholarDigital Library
- J. J. McConnell. 1996. Active Learning and Its Use in Computer Science. In Proceedings of the 1st Conference on Integrating Technology into Computer Science Education (ITiCSE’96). 52--54. Google ScholarDigital Library
- G. McGraw. 2004. Software Security. Retrieved April 27, 2016, from https://buildsecurityin.us-cert.gov/sites/default/files/bsi1-swsec_0.pdf.Google ScholarDigital Library
- Gary McGraw. 2006. Software Security: Building Security In. Addison-Wesley Professional. Google ScholarDigital Library
- Gary McGraw. 2008. Silver Bullet talks with Matt Bishop. IEEE Security and Privacy Magazine 6, 6, 6--10. DOI:http://dx.doi.org/10.1109/MSP.2008.153 Google ScholarDigital Library
- Microsoft. 2002. Memo from Bill Gates. Company Memo.Google Scholar
- Paul Mullins, Jim Wolfe, Michael Fry, Erik Wynters, William Calhoun, Robert Montante, and William Oblitey. 2002. Panel on integrating security concepts into existing computer courses. In Proceedings of the 33rd SIGCSE Technical Symposium on Computer Science Education (SIGCSE’02). ACM, New York, NY, 365. DOI:http://dx.doi.org/10.1145/563340.563480 Google ScholarDigital Library
- Kara Nance, Brian Hay, Ronald Dodge, Alex Seazzu, and Steve Burd. 2009. Virtual laboratory environments: Methodologies for educating cybersecurity researchers. Methodological Innovations Online 4, 3, 3--14.Google Scholar
- V. Lakshmi Narasimhan and Manik Lal Das. 2008. Data and information security (DIS) for BS and MS programs. ACM SIGCSE Bulletin 40, 4, 95. DOI:http://dx.doi.org/10.1145/1473195.1473230 Google ScholarDigital Library
- Linda Null. 2004. Integrating security across the computer science curriculum. Journal of Computing Sciences in Colleges 19, 5, 170--178. Google ScholarDigital Library
- OWASP. 2015. The Open Web Application Security Project. Retrieved April 27, 2016, from https://www.owasp.org/index.php/Main_Page.Google Scholar
- Lance C. Pérez, Stephen Cooper, Elizabeth K. Hawthorne, Susanne Wetzel, Joel Brynielsson, Asim Gencer Gokce, John Impagliazzo, et al. 2011. Information assurance education in two- and four-year institutions. In Proceedings of the 16th Annual Conference Reports on Innovation and Technology in Computer Science Education (ITiCSE-WGR’11). ACM, New York, NY, 39. DOI:http://dx.doi.org/10.1145/2078856.2078860 Google ScholarDigital Library
- Luiz Felipe Perrone, Maurice Aburdene, and Xiannong Meng. 2005. Approaches to undergraduate instruction in computer security. In Proceedings of the 2005 American Society for Engineering Education Annual Conference and Exposition.Google Scholar
- Venkat Pothamsetty. 2005. Where security education is lacking. In Proceedings of the 2nd Annual Conference on Information Security Curriculum Development (InfoSecCD’05). ACM, New York, New York, 54. DOI:http://dx.doi.org/10.1145/1107622.1107635 Google ScholarDigital Library
- L. Ray and J. Yang. 2011. Beyond the security track: Embed security education across undergraduate computing curricula using M-thread approach. International Journal of Computer Science and Network Security 11, 8, 131.Google Scholar
- SANS. 2015. Common Weakness Enumeration. Retrieved January 1, 2015, from https://www.sans.org/top25-software-errors/.Google Scholar
- D. Schweitzer and W. Brown. 2009. Using visualization to teach security. Journal of Computing Sciences in Colleges 24, 5, 143--150. Google ScholarDigital Library
- Robert Seacord. 2005. Secure Coding in C and C++ (2nd ed.). Addison-Wesley. Google ScholarDigital Library
- Robert C. Seacord. 2011. The Top 10 Secure Coding Practices. Retrieved April 27, 2016, from https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices.Google Scholar
- Ann E. Sobel and Gary McGraw. 2010. Interview: Software Security in the Real World. Computer 43, 9, 47--53. Google ScholarDigital Library
- Michael L. Stamat and Jeffrey W. Humphries. 2009. Training ≠ education. In Proceedings of the 14th Western Canadian Conference on Computing Education (WCCCE’09). ACM, New York, NY, 116. DOI:http://dx.doi.org/10.1145/1536274.1536308Google Scholar
- Curtis Steward Jr., Luay A. Wahsheh, Aftab Ahmad, Jonathan M. Graham, Cheryl V. Hinds, Aurelia T. Williams, and Sandra J. DeLoatch. 2012. Software security: The dangerous afterthought. In Proceedings of the 2012 9th International Conference on Information Technology: New Generations (ITNG’12). IEEE, Los Alamitos, CA, 815--818. DOI:http://dx.doi.org/10.1109/ITNG.2012.60 Google ScholarDigital Library
- Blair Taylor and Shiva Azadegan. 2006. Threading secure coding principles and risk analysis into the undergraduate computer science and information systems curriculum. In Proceedings of the 3rd Annual Conference on Information Security Curriculum Development. ACM, New York, NY, 24--29. Google ScholarDigital Library
- Blair Taylor and Shiva Azadegan. 2007a. Teaching security through active learning. In Proceedings of Frontiers in Education: Computer Science and Engineering. 1--6.Google Scholar
- Blair Taylor and Shiva Azadegan. 2007b. Using security checklists and scorecards in CS curriculum. In Proceedings of the National Colloquium for Information Systems Security Education. 4--9.Google Scholar
- Blair Taylor and Shiva Azadegan. 2008. Moving beyond security tracks: Integrating security in CS0 and CS1. ACM SIGCSE Bulletin 40, 1, 320--324. Google ScholarDigital Library
- B. Taylor, M. Bishop, and D. Burley. 2012. Teaching secure coding: Report from summit on education in secure software. In Proceedings of the 43rd ACM Technical Symposium on Computer Science Education (SIGCSE’12). Google ScholarDigital Library
- B. Taylor, S. Kaza, B. Chu, M. Doyle, and K. C. Du. 2010. Security in the CS curriculum (BOF). In Proceedings of the 41st ACM Technical Symposium on Computer Science Education (SIGCSE’10).Google Scholar
- E. Thompson, A. Luxton-Reilly, J. L. Whalley, M. Hu, and P. Robbins. 2008. Bloom's taxonomy for CS assessment. In Proceedings of the 10th Conference on Australasian Computing Education, Volume 78. 155--161. Google ScholarDigital Library
- Katrina Tsipenyuk and Gary McGraw. 2005. Seven pernicious kingdoms: A taxonomy of software security errors. IEEE Security and Privacy 3, 6, 81--84. DOI:http://dx.doi.org/83900927-3F85-4A31-B0A7-5EDD585CF7F3 Google ScholarDigital Library
- Rayford Vaughn. 2000. Application of security to the computing science classroom. In Proceedings of the 31st SIGCSE Technical Symposium on Computer Science Education (SIGCSE’00). 90--94. Google ScholarDigital Library
- John Viega and Gary McGraw. 2001. Building Secure Software: How to Avoid Security Problems the Right Way. Addison-Wesley Professional Computing Series. Google ScholarDigital Library
- John Viega and Gary McGraw. 2002. Building Secure Software: How to Avoid Security Problems the Right Way. Addison-Wesley. Google ScholarDigital Library
- James Walden and Charles E. Frank. 2006. Secure software engineering teaching modules. In Proceedings of the 3rd Annual Conference on Information Security Curriculum Development (InfoSecCD’06). ACM, New York, NY, 19. Google ScholarDigital Library
- James Walden, Charles E. Frank, and Laurie Werner. 2005. Secure programming workshop: How to keep our students from causing buffer overflows. J. Comput. Sci. Coll. 21, 1 (October 2005), 134--135. Google ScholarDigital Library
- Richard Weiss and Jen Mache. 2011. Teaching security labs with web applications, buffer overflows and firewall configurations. Journal of Computing Sciences in Colleges 27, 1, 163--170. Google ScholarDigital Library
- Georgory White and Georgory Nordstorm. 1996. Security across the curriculum: Using computer security to teach computer science principles. In Proceedings of the 19th National Information Systems Security Conference.Google Scholar
- White House. 2009. Remarks by the President on Securing Our Nation's Cyber Infrastructure. Retrieved April 27, 2016, from https://www.whitehouse.gov/video/President-Obama-on-Cybersecurity#transcript.Google Scholar
- Kenneth A. Williams, Xiaohong Yuan, Huiming Yu, and Kelvin Bryant. 2014. Teaching secure coding for beginning programmers. Journal of Computing Sciences in Colleges 29, 5, 91--99. Google ScholarDigital Library
- Brent Wilson, Jim Aman, and Josee Bourget. 2008. Wanted: Trained security specialists. Journal of Computing Sciences in Colleges 24, 2, 50--55. Google ScholarDigital Library
- Li Yang. 2015a. Bolstering Security Education Through Integration of Research and Education on Browser Security. Retrieved April 27, 2016, from http://www.utc.edu/faculty/li-yang/browsersecurity.php.Google Scholar
- Li Yang. 2015b. Capacity Building Through Curriculum and Faculty Development on Mobile Security. Retrieved April 27, 2016, from from http://www.utc.edu/faculty/li-yang/mobilesecurity.php.Google Scholar
- A. Yasinsac and J. T. McDonald. 2006. Foundations for security aware software development education. In Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS’06). IEEE, Los Alamitos, CA, 219c. DOI:http://dx.doi.org/10.1109/HICSS.2006.187 Google ScholarDigital Library
- Yves Younan. 2012. 25 Years of Vulnerabilities: 1988-2012. Retrieved April 27, 2016, from http://www.rsaconference.com/events/us13/agenda/sessions/132/25-years-of-vulnerabilities-1988--2012.Google Scholar
- Xiaohong Yuan, Kelvin S. Bryant, Kenneth Williams, and Jinsheng Xu. 2015. Integrating mobile computing and security into a computer science curriculum (abstract only). In Proceedings of the 46th ACM Technical Symposium on Computer Science Education (SIGCSE’15). ACM, New York, New York, 686. DOI:http://dx.doi.org/10.1145/2676723.2691902 Google ScholarDigital Library
Index Terms
- Security Injections@Towson: Integrating Secure Coding into Introductory Computer Science Courses
Recommendations
Introducing Secure Coding in CS0, CS1, and CS2. (Abstract Only)
SIGCSE '15: Proceedings of the 46th ACM Technical Symposium on Computer Science EducationThe CS 2013 curriculum includes Information Assurance and Security as a pervasive knowledge area. However, introducing security in lower level courses is challenging because of lack of appropriate teaching resources and training. This workshop will ...
Introducing Secure Coding in CS0, CS1, and CS2 (Abstract Only)
SIGCSE '16: Proceedings of the 47th ACM Technical Symposium on Computing Science EducationThe CS 2013 curriculum includes Information Assurance and Security as a pervasive knowledge area. However, introducing security in lower level courses is challenging because of lack of appropriate teaching resources and training. This workshop, part of ...
Introducing secure coding in CS0, CS1, and CS2 (abstract only)
SIGCSE '14: Proceedings of the 45th ACM technical symposium on Computer science educationThe CS 2013 curriculum includes Information Assurance and Security as a pervasive knowledge area. However, introducing security in lower level courses is challenging because of lack of appropriate teaching resources and training. This workshop will ...
Comments