Computer Security Training Recommender for Developers

Vulnerable code may cause security breaches in software systems resulting in loss of confidential data and financial losses for the organizations. Software developers must be given proper training to write secure code. Conventional training methods do not take the code written by the developers over time into account, which makes these training sessions less effective. We propose a Computer Security Training Recommender to help identify focused and narrow areas in which developers need training. The proposed recommender system leverages the power of static analysis techniques to suggest the most appropriate training topics for different software developers; moreover it utilizes public vulnerability repositories to suggest community accepted solutions to different security problems. This paper presents an architecture of the proposed recommender system and a proof-of-concept case study. We found that vulnerabilities, flagged in source code by static analysis tools, can be mapped to relevant articles in a vulnerability repository. Hence, the mitigation strategies given in such articles may be used as a resource to train individual software developers. Preliminary empirical evaluation shows that the proposed system is promising.