Document Open Access Logo

Code Review for CyberSecurity in the Industry: Insights from Gameplay Analytics

Authors Andrei-Cristian Iosif , Ulrike Lechner , Maria Pinto-Albuquerque , Tiago Espinha Gasiba

PDF
Thumbnail PDF

File

OASIcs.ICPEC.2024.14.pdf
  • Filesize: 0.77 MB
  • 11 pages

Document Identifiers

Author Details

Andrei-Cristian Iosif
  • Universität der Bundeswehr München, Germany
  • Siemens AG, München, Germany
Ulrike Lechner
  • Universität der Bundeswehr München, Germany
Maria Pinto-Albuquerque
  • Instituto Universitário de Lisboa (ISCTE-IUL), ISTAR, Portugal
Tiago Espinha Gasiba
  • Siemens AG, München, Germany

Funding

This work is partially financed by Portuguese national funds through FCT – Fundação para a Ciência e Tecnologia, I.P., under the projects FCT UIDB/04466/2020 and FCT UIDP/04466/2020. Furthermore, the third author thanks the Instituto Universitário de Lisboa and ISTAR, for their support. We acknowledge funding for project LIONS by dtec.bw. Andrei-Cristian Iosif and Tiago Gasiba acknowledge the funding provided by the Bundesministerium für Bildung und Forschung (BMBF) for the project CONTAIN (FKZ 13N16585).

Cite AsGet BibTex

Andrei-Cristian Iosif, Ulrike Lechner, Maria Pinto-Albuquerque, and Tiago Espinha Gasiba. Code Review for CyberSecurity in the Industry: Insights from Gameplay Analytics. In 5th International Computer Programming Education Conference (ICPEC 2024). Open Access Series in Informatics (OASIcs), Volume 122, pp. 14:1-14:11, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2024)
https://doi.org/10.4230/OASIcs.ICPEC.2024.14

Abstract

In pursuing a secure software development lifecycle, industrial developers employ a combination of automated and manual techniques to mitigate vulnerabilities in source code. Among manual techniques, code review is a promising approach, with growing interest within the industry around it. However, the effectiveness of code reviews for security purposes relies on developers' empowerment and awareness, particularly in the domain-specific knowledge required for identifying security issues. Our study explores the use of DuckDebugger, a serious game designed specifically to enhance industrial practitioners' security knowledge for code reviews. By exploring analytics data collected from game interactions, we provide insights into player behavior and explore how the game influences their approach to security-focused code reviews. Altogether, we explore data from 13 events conducted in the industry together with 224 practitioners, and derive metrics such as the time it takes participants spend to reviewing a line of code and the time required to compose a comment. We offer empirical indicators on how serious games may effectively be utilized to empower developers, propose potential design improvements for educational tools, and discuss broader implications for the use of Serious Games in industrial settings. Furthermore, our discussion extends to include a discussion outlining the next steps for our work, together with possible limitations.

Subject Classification

ACM Subject Classification
  • Security and privacy → Software and application security
  • Applied computing → Collaborative learning
  • Applied computing → E-learning
  • Security and privacy → Software security engineering
Keywords
  • Cybersecurity
  • Code Review
  • Developer Empowerment

Metrics

  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    0
    PDF Downloads
    0
    Metadata Views

References

  1. Amiangshu Bosu, Michaela Greiler, and Christian Bird. Characteristics of Useful Code Reviews: An Empirical Study at Microsoft. In 2015 IEEE/ACM 12th Working Conference on Mining Software Repositories, pages 146-156, Florence, Italy, 2015. IEEE. URL: https://doi.org/10.1109/MSR.2015.21.
  2. Ian Cullinane, Catherine Huang, Thomas Sharkey, and Shamsi Moussavi. Cyber security education through gaming cybersecurity games can be interactive, fun, educational and engaging. J. Comput. Sci. Coll., 30(6):75-81, June 2015. Google Scholar
  3. Tiago Espinha Gasiba, Kristian Beckers, Santiago Suppan, and Filip Rezabek. On the requirements for serious games geared towards software developers in the industry. In 2019 IEEE 27th International Requirements Engineering Conference (RE), pages 286-296, 2019. URL: https://doi.org/10.1109/RE.2019.00038.
  4. Maurice Hendrix, Ali Al-Sherbaz, and Victoria Bloom. Game based cyber security training: are serious games suitable for cyber security training? International Journal of Serious Games, 3(1), March 2016. URL: https://doi.org/10.17083/ijsg.v3i1.107.
  5. Andrei-Cristian Iosif, Tiago Espinha Gasiba, Ulrike Lechner, and Maria-Pinto Albuquerque. Raising awareness in the industry on secure code review practices. In CYBER 2023: The Eighth International Conference on Cyber-Technologies and Cyber-Systems, pages 62-68. IARIA, September 2023. Google Scholar
  6. ISO/IEC 20246:2017. Software and systems engineering - Work product reviews. Standard, International Organization for Standardization, Geneva, CH, 2017. Google Scholar
  7. ISO/IEC 64223-4-1:2018-1. ISO/IEC 62443-4-1:2018 Security for industrial automation and control systems - Part 4-1: Secure product development lifecycle requirements. Standard, International Organization for Standardization, Geneva, CH, January 2018. Google Scholar
  8. ISO/IEC 64223-4-2:2019-12. Security for Industrial Automation and Control Systems - Part 4-2: Technical Security Requirements for IACS Components. Standard, International Electrical Commission, Geneva, CH, January 2019. ISBN 978-2-8322-6597-0. Google Scholar
  9. ISO/IEC TR 24772-1:2019. Programming languages - Guidance to avoiding vulnerabilities in programming languages - Part 1: Language-independent guidance. Standard, International Organization for Standardization, Geneva, CH, 2019. Google Scholar
  10. Peter Kálnai. Lazarus campaigns and backdoors in 2022-2023. In Proceedings of the Virus Bulletin International Conference, London, United Kingdom, October 2023. Google Scholar
  11. Laura MacLeod, Michaela Greiler, Margaret-Anne Storey, Christian Bird, and Jacek Czerwonka. Code reviewing in the trenches: Challenges & best practices. IEEE Software, 35(4):34-42, 2017. Google Scholar
  12. MITRE Corporation. CWE Top 25 Most Dangerous Software Weaknesses. http://bit.ly/mitre25, 2023. Online, accessed 2023.07.24.
  13. Fabiola Moyon, Daniel Mendez, Kristian Beckers, and Sebastian Klepper. How to integrate security compliance requirements with agile software engineering at scale? In Maurizio Morisio, Marco Torchiano, and Andreas Jedlitschka, editors, Product-Focused Software Process Improvement, pages 69-87, Cham, 2020. Springer International Publishing. Google Scholar
  14. OWASP Foundation. OWASP Top10:2021. https://owasp.org/Top10, 2021. Online, accessed 2023.07.24.
  15. Rene Roepke and Ulrik Schroeder. The problem with teaching defence against the dark arts: A review of game-based learning applications and serious games for cyber security education. In Proceedings of the 11th International Conference on Computer Supported Education. SCITEPRESS - Science and Technology Publications, 2019. URL: https://doi.org/10.5220/0007706100580066.
  16. Maung K. Sein, Ola Henfridsson, Sandeep Purao, Matti Rossi, and Rikard Lindgren. Action Design Research. MIS Quarterly, 35:37-56, 2011. Google Scholar
  17. Akbar Siami Namin, Zenaida Aguirre-Muñoz, and Keith Jones. Teaching cyber security through competition an experience report about a participatory training workshop. In 7th Annual International Conference on Computer Science Education: Innovation & Technology (CSEIT 2016), CSEIT. Global Science & Technology Forum (GSTF), October 2016. URL: https://doi.org/10.5176/2251-2195_cseit16.39.
  18. Tarja Susi, Mikael Johannesson, and Per Backlund. Serious games: An overview. Technical report, IKI Technical Reports, 2007. Google Scholar
  19. Valdemar Švábenský, Jan Vykopal, Pavel Čeleda, and Lydia Kraus. Applications of educational data mining and learning analytics on data from cybersecurity training. Education and Information Technologies, 27(9):12179-12212, May 2022. URL: https://doi.org/10.1007/s10639-022-11093-6.
  20. Valdemar Švábenský, Pavel Čeleda, Jan Vykopal, and Silvia Brišáková. Cybersecurity knowledge and skills taught in capture the flag challenges. Computers and Security, 102:102154, 2021. URL: https://doi.org/10.1016/j.cose.2020.102154.
Questions / Remarks / Feedback
X

Feedback for Dagstuhl Publishing


Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail
© 2023-2024 Schloss Dagstuhl – LZI GmbH Imprint Privacy Contact