Using a case study to teach students about finding and fixing logic flaws in software

An application logic flaw is a type of software vulnerability related to privilege manipulation or transaction control manipulation. They are often difficult to identify using automated scanners. A case study on the eCommerce merchant software Bigcommerce, integrated with PayPal Express as a third party payment collector, was created to teach students about this topic. Case studies provide students with a real-world context, and help them understand complex topics better than traditional teaching methods. However, the computer science field, especially computer security, does not have many case studies available. The case study on logic flaws in software was taught in Spring 2015, and the teaching experience is discussed.

[1]  Ashley Clayson Effectiveness of LITEE Case Studies in Engineering Education: A Perspective from Genre Studies , 2011 .

[2]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[3]  Michael Howard,et al.  The security development lifecycle : SDL, a process for developing demonstrably more secure software , 2006 .

[4]  Sekta Lonir Oscarini,et al.  BLOOM'S TAXONOMY: ORIGINAL AND REVISED , 2010 .

[5]  Rui Wang,et al.  How to Shop for Free Online -- Security Analysis of Cashier-as-a-Service Based Web Stores , 2011, 2011 IEEE Symposium on Security and Privacy.

[6]  Soheil Khajenoori,et al.  Collaborations: Closing the Industry-Academia Gap , 1997, IEEE Softw..

[7]  Steven B. Lipner,et al.  The trustworthy computing security development lifecycle , 2004, 20th Annual Computer Security Applications Conference.

[8]  Sahana Murthy,et al.  Teaching Security Management with Case Studies : Experiences and Evaluation , 2010 .

[9]  Ömer Geban,et al.  Effectiveness of Case-Based Learning Instruction on Epistemological Beliefs and Attitudes Toward Chemistry , 2011 .

[10]  Lindsay Simpkins A Course Module on Application Logic Flaws , 2015 .

[11]  Li Yang,et al.  Supporting Case-Based Learning in Information Security with Web-Based Technology , 2013, J. Inf. Syst. Educ..

[12]  Gary McGraw,et al.  Exploiting Software: How to Break Code , 2004 .

[13]  Kenneth J. Reid Building a Community of Scholars: One University's Comparison of "Typical" vs. Open Ended Ethics Case Studies in First-Year Engineering. , 2012 .

[14]  Nancy R. Mead,et al.  Software Assurance Curriculum Project Volume II: Undergraduate Course Outlines , 2010 .

[15]  Mark Guzdial,et al.  Computer Science Curriculum 2008: An Interim Revision of CS 2001 , 2008 .

[16]  Bob Martin,et al.  2010 CWE/SANS Top 25 Most Dangerous Software Errors , 2010 .

[17]  Dafydd Stuttard,et al.  The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws , 2007 .

[18]  Nancy R. Mead,et al.  Software Assurance Curriculum Project Volume I: Master of Software Assurance Reference Curriculum , 2010 .

[19]  Qiang Le Implementation of Case Studies in an Introduction to Engineering Course for "LITEE National Dissemination Grant Competition". , 2012 .

[20]  Mary Shaw Software Engineering for the 21st Century: A basis for rethinking the curriculum , 2005 .

[21]  Aman Yadav,et al.  Lessons Learned: Implementing the Case Teaching Method in a Mechanical Engineering Course , 2010 .

[22]  Klaus Pohl,et al.  Industrial case studies in graduate requirements engineering courses: The impact on student motivation , 2014, 2014 IEEE 27th Conference on Software Engineering Education and Training (CSEE&T).

[23]  Ilse Baumgartner,et al.  Case studies in computing education: Presentation, evaluation and assessment of four case study-based course design and delivery models , 2014, 2014 IEEE Frontiers in Education Conference (FIE) Proceedings.

[24]  J. Thistlethwaite,et al.  The effectiveness of case-based learning in health professional education. A BEME systematic review: BEME Guide No. 23 , 2012, Medical teacher.

[25]  Claes Wohlin,et al.  Achieving industrial relevance in software engineering education , 1999, Proceedings 12th Conference on Software Engineering Education and Training (Cat. No.PR00131).

[26]  A.J. LaSalle An inverted computing curriculum: preparing graduates to build quality systems , 1997, Proceedings Frontiers in Education 1997 27th Annual Conference. Teaching and Learning in an Era of Change.

[27]  Sahana Murthy,et al.  Case studies for teaching physical security and security policy , 2010, InfoSecCD.