论文信息 - Evaluating Two Methods for Integrating Secure Programming Education

Evaluating Two Methods for Integrating Secure Programming Education

Security vulnerabilities are still prevalent in today's software, yet many can be prevented with standard secure programming techniques. Thus, educators of future developers need to teach students not just how to program, but how to program securely. Many researchers advocate integrating secure programming knowledge and skills across the computer science curriculum. In this paper, we report the results of a study comparing two such methods: our own tool ESIDE, which provides students with security warnings on assignment code, and a security-clinic approach, a one-on-one session with a teaching assistant. Both methods suffered from challenges in incentivizing students to incorporate secure programming techniques into their code. We discuss the relative strengths and weaknesses of these methods, and the challenges of timing and motivation of secure programming education.

[1] Jun Zhu,et al. Interactive support for secure programming education , 2013, SIGCSE '13.

[2] Jun Zhu,et al. Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course , 2015, SIGCSE.

[3] Matt Bishop,et al. A Clinic for "Secure" Programming , 2010, IEEE Security & Privacy.

[4] Alexander L. Wijesinha,et al. A Dedicated Undergraduate Track in Computer Security Education , 2003, World Conference on Information Security Education.

[5] Deborah A. Frincke,et al. Teaching Secure Programming , 2005, IEEE Secur. Priv..

[6] Yi Pan,et al. Increasing Security Awareness in Undergraduate Courses with Labware (Abstract Only) , 2016, SIGCSE.

[7] Holger Junker. OWASP Enterprise Security API , 2012, Datenschutz und Datensicherheit - DuD.

[8] Shiva Azadegan,et al. Threading secure coding principles and risk analysis into the undergraduate computer science and information systems curriculum , 2006, InfoSecCD '06.

[9] Kara L. Nance,et al. Teach Them When They Aren't Looking: Introducing Security in CS1 , 2009, IEEE Security & Privacy.