DROPS

Document

DOI: 10.4230/OASIcs.ICPEC.2024.14

Code Review for CyberSecurity in the Industry: Insights from Gameplay Analytics

Authors: Andrei-Cristian Iosif, Ulrike Lechner, Maria Pinto-Albuquerque, and Tiago Espinha Gasiba

Published in: OASIcs, Volume 122, 5th International Computer Programming Education Conference (ICPEC 2024)

Abstract

In pursuing a secure software development lifecycle, industrial developers employ a combination of automated and manual techniques to mitigate vulnerabilities in source code. Among manual techniques, code review is a promising approach, with growing interest within the industry around it. However, the effectiveness of code reviews for security purposes relies on developers' empowerment and awareness, particularly in the domain-specific knowledge required for identifying security issues. Our study explores the use of DuckDebugger, a serious game designed specifically to enhance industrial practitioners' security knowledge for code reviews. By exploring analytics data collected from game interactions, we provide insights into player behavior and explore how the game influences their approach to security-focused code reviews. Altogether, we explore data from 13 events conducted in the industry together with 224 practitioners, and derive metrics such as the time it takes participants spend to reviewing a line of code and the time required to compose a comment. We offer empirical indicators on how serious games may effectively be utilized to empower developers, propose potential design improvements for educational tools, and discuss broader implications for the use of Serious Games in industrial settings. Furthermore, our discussion extends to include a discussion outlining the next steps for our work, together with possible limitations.

Cite as

Andrei-Cristian Iosif, Ulrike Lechner, Maria Pinto-Albuquerque, and Tiago Espinha Gasiba. Code Review for CyberSecurity in the Industry: Insights from Gameplay Analytics. In 5th International Computer Programming Education Conference (ICPEC 2024). Open Access Series in Informatics (OASIcs), Volume 122, pp. 14:1-14:11, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2024)

Copy BibTex To Clipboard

@InProceedings{iosif_et_al:OASIcs.ICPEC.2024.14,
  author =	{Iosif, Andrei-Cristian and Lechner, Ulrike and Pinto-Albuquerque, Maria and Espinha Gasiba, Tiago},
  title =	{{Code Review for CyberSecurity in the Industry: Insights from Gameplay Analytics}},
  booktitle =	{5th International Computer Programming Education Conference (ICPEC 2024)},
  pages =	{14:1--14:11},
  series =	{Open Access Series in Informatics (OASIcs)},
  ISBN =	{978-3-95977-347-8},
  ISSN =	{2190-6807},
  year =	{2024},
  volume =	{122},
  editor =	{Santos, Andr\'{e} L. and Pinto-Albuquerque, Maria},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/OASIcs.ICPEC.2024.14},
  URN =		{urn:nbn:de:0030-drops-209836},
  doi =		{10.4230/OASIcs.ICPEC.2024.14},
  annote =	{Keywords: Cybersecurity, Code Review, Developer Empowerment}
}

Document

DOI: 10.4230/OASIcs.ICPEC.2024.16

To Kill a Mocking Bug: Open Source Repo Mining of Security Patches for Programming Education

Authors: Andrei-Cristian Iosif, Tiago Espinha Gasiba, Ulrike Lechner, and Maria Pinto-Albuquerque

Published in: OASIcs, Volume 122, 5th International Computer Programming Education Conference (ICPEC 2024)

Abstract

The use of third-party components (TPCs) and open-source software (OSS) has become increasingly popular in software development, and this trend has also increased the chance of detecting security vulnerabilities. Understanding practical recurring vulnerabilities that occur in real-world applications (TPCs and OSS) is a very important step to educate not only aspiring software developers, but also seasoned ones. To achieve this goal, we analyze publicly available OSS software on GitHub to identify the most common security vulnerabilities and their frequency of occurrence between 2009 and 2022. Our work looks at programming language and type of vulnerability and also analyses the number of code lines needed to be changed to fix different vulnerabilities. Furthermore, our work contributes to the understanding of real-world and human-made data quality required for training machine learning algorithms by highlighting the importance of homogeneous and complete data. We provide insights for both developers and researchers seeking to improve cybersecurity in software education and mitigate risks associated with OSS and TPCs. Finally, our analysis contributes to software education by shedding light on common sources of poor code quality and the effort required to fix different vulnerabilities.

Cite as

Andrei-Cristian Iosif, Tiago Espinha Gasiba, Ulrike Lechner, and Maria Pinto-Albuquerque. To Kill a Mocking Bug: Open Source Repo Mining of Security Patches for Programming Education. In 5th International Computer Programming Education Conference (ICPEC 2024). Open Access Series in Informatics (OASIcs), Volume 122, pp. 16:1-16:12, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2024)

Copy BibTex To Clipboard

@InProceedings{iosif_et_al:OASIcs.ICPEC.2024.16,
  author =	{Iosif, Andrei-Cristian and Espinha Gasiba, Tiago and Lechner, Ulrike and Pinto-Albuquerque, Maria},
  title =	{{To Kill a Mocking Bug: Open Source Repo Mining of Security Patches for Programming Education}},
  booktitle =	{5th International Computer Programming Education Conference (ICPEC 2024)},
  pages =	{16:1--16:12},
  series =	{Open Access Series in Informatics (OASIcs)},
  ISBN =	{978-3-95977-347-8},
  ISSN =	{2190-6807},
  year =	{2024},
  volume =	{122},
  editor =	{Santos, Andr\'{e} L. and Pinto-Albuquerque, Maria},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/OASIcs.ICPEC.2024.16},
  URN =		{urn:nbn:de:0030-drops-209853},
  doi =		{10.4230/OASIcs.ICPEC.2024.16},
  annote =	{Keywords: Open-source software, Software quality, Cybersecurity, Repository Mining}
}

Document

DOI: 10.4230/OASIcs.ICPEC.2024.17

Improving Industrial Cybersecurity Training: Insights into Code Reviews Using Eye-Tracking

Authors: Samuel Riegel Correia, Maria Pinto-Albuquerque, Tiago Espinha Gasiba, and Andrei-Cristian Iosif

Published in: OASIcs, Volume 122, 5th International Computer Programming Education Conference (ICPEC 2024)

Abstract

In industrial cybersecurity, effective mitigation of vulnerabilities is crucial. This study investigates the importance of code reviews among cybersecurity professionals and analyses their performance in identifying vulnerabilities using eye-tracking technology. With the insights gained from this study, we aim to inform future tools and training in cybersecurity, particularly in the context of code reviews. Through a survey of industry experts, we reveal what tasks industry professionals consider the most important in mitigating cybersecurity vulnerabilities. A study was conducted to analyse how industrial cybersecurity professionals look at code during code reviews. We determined the types of issues our participants most easily discovered and linked our results with patterns and data obtained from an eye-tracking device used during the study. Our findings underscore the pivotal role of code reviews in cybersecurity and provide valuable insights for industrial professionals and researchers alike.

Cite as

Samuel Riegel Correia, Maria Pinto-Albuquerque, Tiago Espinha Gasiba, and Andrei-Cristian Iosif. Improving Industrial Cybersecurity Training: Insights into Code Reviews Using Eye-Tracking. In 5th International Computer Programming Education Conference (ICPEC 2024). Open Access Series in Informatics (OASIcs), Volume 122, pp. 17:1-17:9, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2024)

Copy BibTex To Clipboard

@InProceedings{riegelcorreia_et_al:OASIcs.ICPEC.2024.17,
  author =	{Riegel Correia, Samuel and Pinto-Albuquerque, Maria and Espinha Gasiba, Tiago and Iosif, Andrei-Cristian},
  title =	{{Improving Industrial Cybersecurity Training: Insights into Code Reviews Using Eye-Tracking}},
  booktitle =	{5th International Computer Programming Education Conference (ICPEC 2024)},
  pages =	{17:1--17:9},
  series =	{Open Access Series in Informatics (OASIcs)},
  ISBN =	{978-3-95977-347-8},
  ISSN =	{2190-6807},
  year =	{2024},
  volume =	{122},
  editor =	{Santos, Andr\'{e} L. and Pinto-Albuquerque, Maria},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/OASIcs.ICPEC.2024.17},
  URN =		{urn:nbn:de:0030-drops-209863},
  doi =		{10.4230/OASIcs.ICPEC.2024.17},
  annote =	{Keywords: code review, cybersecurity, development lifecycle, eye-tracking}
}

Document

DOI: 10.4230/OASIcs.ICPEC.2023.2

I'm Sorry Dave, I'm Afraid I Can't Fix Your Code: On ChatGPT, CyberSecurity, and Secure Coding

Authors: Tiago Espinha Gasiba, Kaan Oguzhan, Ibrahim Kessba, Ulrike Lechner, and Maria Pinto-Albuquerque

Published in: OASIcs, Volume 112, 4th International Computer Programming Education Conference (ICPEC 2023)

Abstract

Software security is an important topic that is gaining more and more attention due to the rising number of publicly known cybersecurity incidents. Previous research has shown that one way to address software security is by means of a serious game, the CyberSecurity Challenges, which are designed to raise awareness of software developers of secure coding guidelines. This game, which has been proven to be very successful in the industry, makes use of an artificial intelligence technique (laddering technique) to implement a chatbot for human-machine interaction. Recent advances in machine learning led to a breakthrough, with the implementation of ChatGPT by OpenAI. This algorithm has been trained in a large amount of data and is capable of analysing and interpreting not only natural language, but also small code snippets containing source code in different programming languages. With the advent of ChatGPT, and previous state-of-the-art research in secure software development, a natural question arises: to which extent can ChatGPT aid software developers in writing secure software?. In this paper, we draw on our experience in the industry, and also on extensive previous work to analyse and reflect on how to use ChatGPT to aid secure software development. Towards this, we run a small experiment using five different vulnerable code snippets. Our interactions with ChatGPT allow us to conclude on advantages, disadvantages and limitations of the usage of this new technology.

Cite as

Tiago Espinha Gasiba, Kaan Oguzhan, Ibrahim Kessba, Ulrike Lechner, and Maria Pinto-Albuquerque. I'm Sorry Dave, I'm Afraid I Can't Fix Your Code: On ChatGPT, CyberSecurity, and Secure Coding. In 4th International Computer Programming Education Conference (ICPEC 2023). Open Access Series in Informatics (OASIcs), Volume 112, pp. 2:1-2:12, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2023)

Copy BibTex To Clipboard

@InProceedings{espinhagasiba_et_al:OASIcs.ICPEC.2023.2,
  author =	{Espinha Gasiba, Tiago and Oguzhan, Kaan and Kessba, Ibrahim and Lechner, Ulrike and Pinto-Albuquerque, Maria},
  title =	{{I'm Sorry Dave, I'm Afraid I Can't Fix Your Code: On ChatGPT, CyberSecurity, and Secure Coding}},
  booktitle =	{4th International Computer Programming Education Conference (ICPEC 2023)},
  pages =	{2:1--2:12},
  series =	{Open Access Series in Informatics (OASIcs)},
  ISBN =	{978-3-95977-290-7},
  ISSN =	{2190-6807},
  year =	{2023},
  volume =	{112},
  editor =	{Peixoto de Queir\'{o}s, Ricardo Alexandre and Teixeira Pinto, M\'{a}rio Paulo},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/OASIcs.ICPEC.2023.2},
  URN =		{urn:nbn:de:0030-drops-184986},
  doi =		{10.4230/OASIcs.ICPEC.2023.2},
  annote =	{Keywords: Serious Games, IT-Security, Machine Learning, ChatGPT, Secure Coding, Industry, Software Development, Teaching}
}

@InProceedings{espinhagasiba_et_al:OASIcs.ICPEC.2023.2,
  author =	{Espinha Gasiba, Tiago and Oguzhan, Kaan and Kessba, Ibrahim and Lechner, Ulrike and Pinto-Albuquerque, Maria},
  title =	{{I'm Sorry Dave, I'm Afraid I Can't Fix Your Code: On ChatGPT, CyberSecurity, and Secure Coding}},
  booktitle =	{4th International Computer Programming Education Conference (ICPEC 2023)},
  pages =	{2:1--2:12},
  series =	{Open Access Series in Informatics (OASIcs)},
  ISBN =	{978-3-95977-290-7},
  ISSN =	{2190-6807},
  year =	{2023},
  volume =	{112},
  editor =	{Peixoto de Queir\'{o}s, Ricardo Alexandre and Teixeira Pinto, M\'{a}rio Paulo},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/OASIcs.ICPEC.2023.2},
  URN =		{urn:nbn:de:0030-drops-184986},
  doi =		{10.4230/OASIcs.ICPEC.2023.2},
  annote =	{Keywords: Serious Games, IT-Security, Machine Learning, ChatGPT, Secure Coding, Industry, Software Development, Teaching}
}

Search Results

Documents authored by Espinha Gasiba, Tiago

Code Review for CyberSecurity in the Industry: Insights from Gameplay Analytics

Abstract

Cite as

To Kill a Mocking Bug: Open Source Repo Mining of Security Patches for Programming Education

Abstract

Cite as

Improving Industrial Cybersecurity Training: Insights into Code Reviews Using Eye-Tracking

Abstract

Cite as

I'm Sorry Dave, I'm Afraid I Can't Fix Your Code: On ChatGPT, CyberSecurity, and Secure Coding

Abstract

Cite as

Thanks for your feedback!

Could not send message