Learning Software Security in Context: An Evaluation in Open Source Software Development Environment

Learning software security has become a complex and difficult task today than it was even a decade ago. With the increased complexity of computer systems and a variety of applications, it is hard for software developers to master the expertise required to deal with the variety of security concepts, methods, and technologies that are required in software projects. Although a large number of security learning materials are widely available in books, open literature or on the Internet, they are difficult for learners to understand the rationale of security topics and correlate the concepts with real software scenarios. We argue that the traditional approach, which usually organizes knowledge content topically, with security-centric, is not suitable to motivate learners and stimulate learners' interest. To tackle this learning issue, our research is focused on forging a contextualized learning environment for software security where learners can explore security knowledge and relate it to the context that they are familiar with. This learning system is developed base on our proposed context-based learning approach and based on ontological technologies. In this paper, we present our evaluation study in the open source software (OSS) development environment. Our results demonstrate that contextualized learning can help OSS developers identify their necessary security information, improve learning efficiency and make security knowledge more meaningful for their software development tasks

[1]  Shao-Fang Wen,et al.  Preliminary Evaluation of an Ontology-Based Contextualized Learning System for Software Security , 2019, EASE.

[2]  Carol A. Kozeracki Preparing faculty to meet the needs of developmental students , 2005 .

[3]  Peter Nentwig,et al.  “Chemie im Kontext”: A symbiotic implementation of a context‐based teaching and learning approach , 2006 .

[4]  Matt Bishop,et al.  A Clinic for "Secure" Programming , 2010, IEEE Security & Privacy.

[5]  Axelle Apvrille,et al.  Secure software development by example , 2005, IEEE Security & Privacy Magazine.

[6]  R. Neal Shambaugh,et al.  The Cognitive Potentials of Visual Constructions. , 1995 .

[7]  Robert L. Goldstone,et al.  The Transfer of Scientific Principles Using Concrete and Idealized Simulations , 2005, Journal of the Learning Sciences.

[8]  N. M. Morris,et al.  On Looking into the Black Box: Prospects and Limits in the Search for Mental Models , 1986 .

[9]  David E. Kieras,et al.  The Role of a Mental Model in Learning to Operate a Device , 1990, Cogn. Sci..

[10]  Thomas R. Gruber,et al.  Toward principles for the design of ontologies used for knowledge sharing? , 1995, Int. J. Hum. Comput. Stud..

[11]  Csongor Nyulas,et al.  WebProtégé: A collaborative ontology editor and knowledge acquisition tool for the Web , 2013, Semantic Web.

[12]  Shao-Fang Wen,et al.  Learning secure programming in open source software communities: a socio-technical view , 2018 .

[13]  Victor R. Basili,et al.  Support for comprehensive reuse , 1991, Softw. Eng. J..

[14]  R. J. Dean,et al.  Motivational Factors Affecting Advanced Literacy Learning of Community College Students , 2007 .

[15]  Som Naidu,et al.  Situated Learning Designs for Professional Development: Fundamental Principles and Case Studies , 2008 .

[16]  Penina Kamina,et al.  From Concrete to Abstract: Teaching for Transfer of Learning when Using Manipulatives , 2009 .

[17]  Joseph Krajcik,et al.  Contextualizing instruction: Leveraging students' prior knowledge and experiences to foster understanding of middle school science , 2008 .

[18]  Gary McGraw,et al.  Knowledge for Software Security , 2005, IEEE Secur. Priv..

[19]  Norita Md Norwawi,et al.  Systematic review of web application security development model , 2012, Artificial Intelligence Review.

[20]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[21]  B. Myers Debugging Reinvented: Asking and Answering Why and Why Not Questions about Program Behavior , 2008 .

[22]  M. Lepper,et al.  Intrinsic motivation and the process of learning: Beneficial effects of contextualization, personalization, and choice. , 1996 .

[23]  Judith Bennett,et al.  Bringing science to life: A synthesis of the research evidence on the effects of context‐based and STS approaches to science teaching , 2007 .

[24]  Shao-Fang Wen,et al.  Software security in open source development: A systematic literature review , 2017, 2017 21st Conference of Open Innovations Association (FRUCT).

[25]  Mark Guzdial,et al.  Teaching computing for everyone , 2006 .

[26]  Robert G. Berns,et al.  Contextual Teaching and Learning: Preparing Students for the New Economy. The Highlight Zone: Research @ Work No. 5. , 2001 .

[27]  Sajjad Mahmood,et al.  Exploring software security approaches in software development lifecycle: A systematic mapping study , 2017, Comput. Stand. Interfaces.

[28]  Ken Frazer,et al.  Building secure software: how to avoid security problems the right way , 2002, SOEN.

[29]  Mark Guzdial,et al.  Does contextualized computing education help? , 2010, INROADS.

[30]  Oliver Brock,et al.  Contextual Learning , 2015, ArXiv.

[31]  Steve Cunningham,et al.  Teaching computer science in context , 2010, INROADS.

[32]  Marcus Specht Designing Contextualized Learning , 2008 .

[33]  Michael Giamellaro,et al.  Primary Contextualization of Science Learning through Immersion in Content-Rich Settings , 2014 .

[34]  Shao-Fang Wen,et al.  Toward a Context-Based Approach for Software Security Learning , 2019, Journal of Applied Security Research.

[35]  Lilly M. Berry,et al.  Psychology At Work:An Introduction To Industrial And Organizational Psychology , 1993 .

[36]  Peter Hubwieser,et al.  Students, teachers and phenomena: educational reconstruction for computer science education , 2012, Koli Calling.