Automated Java Challenges' Security Assessment for Training in Industry - Preliminary Results

Authors Luís Afonso Casqueiro , Tiago Espinha Gasiba , Maria Pinto-Albuquerque , Ulrike Lechner



PDF
Thumbnail PDF

File

OASIcs.ICPEC.2021.10.pdf
  • Filesize: 0.96 MB
  • 11 pages

Document Identifiers

Author Details

Luís Afonso Casqueiro
  • University Institute of Lisbon, (ISCTE-IUL), ISTAR, Portugal
Tiago Espinha Gasiba
  • Siemens AG, Munich, Germany
Maria Pinto-Albuquerque
  • University Institute of Lisbon (ISCTE-IUL), ISTAR, Portugal
Ulrike Lechner
  • Universität der Bundeswehr München, Munich, Germany

Acknowledgements

The authors would like to thank all the survey participants for taking part in this preliminary study, and for their helpful and constructive feedback. Furthermore, the authors would like to thank the hosting organization for enabling the study to take place.

Cite AsGet BibTex

Luís Afonso Casqueiro, Tiago Espinha Gasiba, Maria Pinto-Albuquerque, and Ulrike Lechner. Automated Java Challenges' Security Assessment for Training in Industry - Preliminary Results. In Second International Computer Programming Education Conference (ICPEC 2021). Open Access Series in Informatics (OASIcs), Volume 91, pp. 10:1-10:11, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2021)
https://doi.org/10.4230/OASIcs.ICPEC.2021.10

Abstract

Secure software development is a crucial topic that companies need to address to develop high-quality software. However, it has been shown that software developers lack secure coding awareness. In this work, we use a serious game approach that presents players with Java challenges to raise Java programmers' secure coding awareness. Towards this, we adapted an existing platform, embedded in a serious game, to assess Java secure coding exercises and performed an empirical study. Our preliminary results provide a positive indication of our solution’s viability as a means of secure software development training. Our contribution can be used by practitioners and researchers alike through an overview on the implementation of automatic security assessment of Java CyberSecurity Challenges and their evaluation in an industrial context.

Subject Classification

ACM Subject Classification
  • Security and privacy → Software security engineering
  • Security and privacy → Web application security
  • Applied computing → Computer-assisted instruction
  • Applied computing → E-learning
  • Applied computing → Interactive learning environments
Keywords
  • Education
  • Teaching
  • Training
  • Awareness
  • Secure Coding
  • Industry
  • Programming
  • Cybersecurity
  • Capture-the-Flag
  • Intelligent Coach

Metrics

  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    0
    PDF Downloads

References

  1. Uğur Bakan and Ufuk Bakan. Game-Based Learning Studies in Education Journals: A Systematic Review of Recent Trends. Actualidades Pedagógicas, pages 119-145, July 2018. URL: https://doi.org/10.19052/ap.5245.
  2. Marílio Cardoso, António Vieira de Castro, Álvaro Rocha, Emanuel Silva, and Jorge Mendonça. Use of Automatic Code Assessment Tools in the Programming Teaching Process. In Ricardo Queirós, Filipe Portela, Mário Pinto, and Alberto Simões, editors, First International Computer Programming Education Conference (ICPEC 2020), volume 81 of OpenAccess Series in Informatics (OASIcs), pages 4:1-4:10, Dagstuhl, Germany, 2020. Schloss Dagstuhl-Leibniz-Zentrum für Informatik. URL: https://doi.org/10.4230/OASIcs.ICPEC.2020.4.
  3. MITRE Corporation. Common Weakness Enumeration. Online, Accessed 4 July 2019. URL: https://cwe.mitre.org/.
  4. MITRE Corporation. Common Weakness Enumeration - 404. Online, Accessed 4 July 2019. URL: https://cwe.mitre.org/data/definitions/404.html.
  5. MITRE Corporation. Common Weakness Enumeration - 772. Online, Accessed 4 July 2019. URL: https://cwe.mitre.org/data/definitions/772.html.
  6. Ian Cullinane, Catherine Huang, Thomas Sharkey, and Shamsi Moussavi. Cyber Security Education Through Gaming Cybersecurity Games Can Be Interactive, Fun, Educational and Engaging. J. Computing Sciences in Colleges, 30(6):75-81, June 2015. Google Scholar
  7. Department of Homeland Security, US-CERT. Software Assurance. Online, Accessed 27 September 2020. URL: https://tinyurl.com/y6pr9v42.
  8. Ralph Dörner, Stefan Göbel, Wolfgang Effelsberg, and Josef Wiemeyer. Serious Games: Foundations, Concepts and Practice. Springer International Publishing, 1 edition, 2016. URL: https://doi.org/10.1007/978-3-319-40612-1.
  9. Felix Fischer, Konstantin Böttinger, Huang Xiao, Christian Stransky, Yasemin Acar, Michael Backes, and Sascha Fahl. Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security. In IEEE Symposium on Security and Privacy, pages 121-136, San Jose, CA, USA, 2017. IEEE Computer Society. URL: https://doi.org/10.1109/SP.2017.31.
  10. Tiago Gasiba, Kristian Beckers, Santiago Suppan, and Filip Rezabek. On the requirements for serious games geared towards software developers in the industry. In Daniela E. Damian, Anna Perini, and Seok-Won Lee, editors, 27th IEEE International Requirements Engineering Conference, RE 2019, Jeju Island, Korea (South), September 23-27, 2019. IEEE, 2019. URL: https://ieeexplore.ieee.org/xpl/conhome/8910334/proceeding.
  11. Tiago Gasiba, Ulrike Lechner, and Maria Pinto-Albuquerque. Sifu - a cybersecurity awareness platform with challenge assessment and intelligent coach. In Special Issue of Cyber-Physical System Security of the Cybersecurity Journal, Online, October 2020. SpringerOpen. Google Scholar
  12. Daniel Graziotin, Fabian Fagerholm, Xiaofeng Wang, and Pekka Abrahamsson. What happens when software developers are (un)happy. Journal of Systems and Software, 140:32-47, June 2018. URL: https://doi.org/10.1016/j.jss.2018.02.041.
  13. Norman Hansch and Zinaida Benenson. Specifying IT Security Awareness. In 25th International Workshop on Database and Expert Systems Applications, Munich, Germany, pages 326-330, September 2014. URL: https://doi.org/10.1109/DEXA.2014.71.
  14. Luis Afonso Casqueiro. Automated Java Challenges' Security Assessment1for Training in Industry – Preliminary Results. Zenodo, February 2021. . URL: https://doi.org/10.5281/zenodo.4740829.
  15. Na Meng, Stefan Nagy, Danfeng Daphne Yao, Wenjie Zhuang, and Gustavo Arango. Secure Coding Practices in Java: Challenges and Vulnerabilities. In IEEE/ACM 40th International Conference on Software Engineering (ICSE), pages 372-383, May 2018. URL: https://doi.org/10.1145/3180155.3180201.
  16. Daniela Seabra Oliveira, Tian Lin, Muhammad Sajidur Rahman, Rad Akefirad, Donovan Ellis, Eliany Perez, Rahul Bobhate, Lois A DeLong, Justin Cappos, and Yuriy Brun. API Blindspots: Why Experienced Developers Write Vulnerable Code. Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018), pages 315-328, August 2018. (USENIX) Association, Baltimore, MD, USA, ISBN: 978-1-939133-10-6. URL: https://www.usenix.org/conference/soups2018/presentation/oliveira.
  17. Suri Patel. 2019 Global Developer Report: DevSecOps Finds Security Roadblocks Divide Teams. Online, Accessed 18 July 2020. URL: https://tinyurl.com/3z57t32d.
  18. Alison DeNisco Rayome. The 3 Least Secure Programming Languages, March 2019. URL: https://www.techrepublic.com/article/the-3-least-secure-programming-languages/.
  19. Tim Rietz and Alexander Maedche. LadderBot: A Requirements Self-Elicitation System. In 2019 IEEE 27th International Requirements Engineering Conference (RE), pages 357-362. IEEE, 2019. Google Scholar
  20. Marc Schönefeld. Java-Security: Sicherheitslücken identifizieren und vermeiden. MITP-Verlags GmbH & Co. KG, 2011. Google Scholar
  21. Maung Sein, Ola Henfridsson, Sandeep Purao, Matti Rossi, and Rikard Lindgren. Action Design Research. MIS Quarterly, 35(1):37-56, March 2011. URL: https://doi.org/10.2307/23043488.
  22. Software Engineering Institute, Carnegie Mellon. SEI CERT Oracle Coding Standard for Java. Online, Accessed 11 June 2018. URL: https://tinyurl.com/ypm4mnj8.
  23. Software Engineering Institute, Carnegie Mellon. SEI CERT Oracle Coding Standard for Java - FIO04-J. Release resources when they are no longer needed. Online, Accessed 11 June 2018. URL: https://wiki.sei.cmu.edu/confluence/display/java/FIO04-J.+Release+resources+when+they+are+no+longer+needed.
  24. Silvio Sorace, Elisabeth Quercia, Ernesto La Mattina, Charalampos Z. Patrikakis, Liz Bacon, Georgios Loukas, and Lachlan Mackinnon. Serious Games: An Attractive Approach to Improve Awareness, pages 1-9. Springer International Publishing, Springer Cham, 2018. Google Scholar
Questions / Remarks / Feedback
X

Feedback for Dagstuhl Publishing


Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail