论文信息 - Comparing Educational Approaches to Secure programming: Tool vs. TA

Comparing Educational Approaches to Secure programming: Tool vs. TA

The cause of many security problems is vulnerabilities in the underlying code. These vulnerabilities are the result of security mistakes made by programmers during application development, often because of lack of knowledge of the security implications of their code. Thus, educators need to teach students as future developers not only how to program, but how to program securely. Many researchers advocate integrating secure programming guidelines across the computer science curriculum. We are exploring a tool to support this goal. ESIDE (Educational Security in the IDE) is an Eclipse plug-in for Java which provides instant security warnings, detailed explanations, and auto-generated remediation code. The goal is to provide contextualized awareness and knowledge of security vulnerabilities and mitigations as students work on programming assignments within any course. In our latest study, we compare our tool against an alternative approach of using security clinics, a one-on-one session with a teaching assistant. We report preliminary findings regarding strengths and weaknesses of our tool based approach to train developers.

Heather Richter Lipford | Madiha Tabassum | Stacey Watson

[1] Jun Zhu,et al. Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course , 2015, SIGCSE.

[2] Jun Zhu,et al. Interactive support for secure programming education , 2013, SIGCSE '13.

[3] Shiva Azadegan,et al. Threading secure coding principles and risk analysis into the undergraduate computer science and information systems curriculum , 2006, InfoSecCD '06.

[4] Yi Pan,et al. Increasing Security Awareness in Undergraduate Courses with Labware (Abstract Only) , 2016, SIGCSE.

[5] Alexander L. Wijesinha,et al. A Dedicated Undergraduate Track in Computer Security Education , 2003, World Conference on Information Security Education.

[6] Deborah A. Frincke,et al. Teaching Secure Programming , 2005, IEEE Secur. Priv..

[7] Kara L. Nance,et al. Teach Them When They Aren't Looking: Introducing Security in CS1 , 2009, IEEE Security & Privacy.

[8] Holger Junker. OWASP Enterprise Security API , 2012, Datenschutz und Datensicherheit - DuD.

[9] Matt Bishop,et al. A Clinic for "Secure" Programming , 2010, IEEE Security & Privacy.