Search Results

Documents authored by Pinto-Albuquerque, Maria

Document
DOI: 10.4230/OASIcs.ICPEC.2025.2
Enabling Secure Coding: Exploring GenAI for Developer Training and Education

Authors: Sathwik Amburi, Tiago Espinha Gasiba, Ulrike Lechner, and Maria Pinto-Albuquerque

Published in: OASIcs, Volume 133, 6th International Computer Programming Education Conference (ICPEC 2025)

Abstract
The rapid adoption of GenAI for code generation presents unprecedented opportunities and significant security challenges. Raising awareness about secure coding is critical for preventing software vulnerabilities. To investigate how Generative AI can best support secure coding, we built an AI Secure Coding platform, an interactive training environment that embeds a GPT-4 based chatbot directly into a structured challenge workflow. The platform comprises a landing page, a challenges page with three AI-generated tasks, and a challenge page where participants work with code snippets. In each challenge, developers (1) identify vulnerabilities by reviewing code and adding comments, (2) ask the AI for help via a chat based interface, (3) review and refine comments based on AI feedback, and (4) fix vulnerabilities by submitting secure patches. The study involved 18 industry developers tackling three challenges. Participants used the AI Secure Coding Platform to detect and remediate vulnerabilities and then completed a survey to capture their opinions and comfort level with AI assisted platform for secure coding. Results show that AI assistance can boost productivity, reduce errors, and uncover more defects when treated as a "second pair of eyes," but it can also foster over-reliance. This study introduces the AI Secure Coding platform, presents preliminary results from a initial study, and shows that embedding GenAI into a structured secure-coding workflow can both enable and challenge developers. This work also opens the door to a new research field: leveraging GenAI to enable secure software development.
Cite as

Sathwik Amburi, Tiago Espinha Gasiba, Ulrike Lechner, and Maria Pinto-Albuquerque. Enabling Secure Coding: Exploring GenAI for Developer Training and Education. In 6th International Computer Programming Education Conference (ICPEC 2025). Open Access Series in Informatics (OASIcs), Volume 133, pp. 2:1-2:15, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2025)

Copy BibTex To Clipboard

@InProceedings{amburi_et_al:OASIcs.ICPEC.2025.2,
  author =	{Amburi, Sathwik and Espinha Gasiba, Tiago and Lechner, Ulrike and Pinto-Albuquerque, Maria},
  title =	{{Enabling Secure Coding: Exploring GenAI for Developer Training and Education}},
  booktitle =	{6th International Computer Programming Education Conference (ICPEC 2025)},
  pages =	{2:1--2:15},
  series =	{Open Access Series in Informatics (OASIcs)},
  ISBN =	{978-3-95977-393-5},
  ISSN =	{2190-6807},
  year =	{2025},
  volume =	{133},
  editor =	{Queir\'{o}s, Ricardo and Pinto, M\'{a}rio and Portela, Filipe and Sim\~{o}es, Alberto},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/OASIcs.ICPEC.2025.2},
  URN =		{urn:nbn:de:0030-drops-240321},
  doi =		{10.4230/OASIcs.ICPEC.2025.2},
  annote =	{Keywords: Secure Coding, Industry, Software Development, Generative AI, Large Language Models, Teaching}
}
Document
DOI: 10.4230/OASIcs.ICPEC.2025.4
Can Open Large Language Models Catch Vulnerabilities?

Authors: Diogo Gaspar Lopes, Tiago Espinha Gasiba, Sathwik Amburi, and Maria Pinto-Albuquerque

Published in: OASIcs, Volume 133, 6th International Computer Programming Education Conference (ICPEC 2025)

Abstract
As Large Language Models (LLMs) become increasingly integrated into secure software development workflows, a critical question remains unanswered: can these models not only detect insecure code but also reliably classify vulnerabilities according to standardized taxonomies? In this work, we conduct a systematic evaluation of three state-of-the-art LLMs - Llama3, Codestral, and Deepseek R1 - using a carefully filtered subset of the Big-Vul dataset annotated with eight representative Common Weakness Enumeration categories. Adopting a closed-world classification setup, we assess each model’s performance in both identifying the presence of vulnerabilities and mapping them to the correct CWE label. Our findings reveal a sharp contrast between high detection rates and markedly poor classification accuracy, with frequent overgeneralization and misclassification. Moreover, we analyze model-specific biases and common failure modes, shedding light on the limitations of current LLMs in performing fine-grained security reasoning.These insights are especially relevant in educational contexts, where LLMs are being adopted as learning aids despite their limitations. A nuanced understanding of their behaviour is essential to prevent the propagation of misconceptions among students. Our results expose key challenges that must be addressed before LLMs can be reliably deployed in security-sensitive environments.
Cite as

Diogo Gaspar Lopes, Tiago Espinha Gasiba, Sathwik Amburi, and Maria Pinto-Albuquerque. Can Open Large Language Models Catch Vulnerabilities?. In 6th International Computer Programming Education Conference (ICPEC 2025). Open Access Series in Informatics (OASIcs), Volume 133, pp. 4:1-4:14, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2025)

Copy BibTex To Clipboard

@InProceedings{gasparlopes_et_al:OASIcs.ICPEC.2025.4,
  author =	{Gaspar Lopes, Diogo and Espinha Gasiba, Tiago and Amburi, Sathwik and Pinto-Albuquerque, Maria},
  title =	{{Can Open Large Language Models Catch Vulnerabilities?}},
  booktitle =	{6th International Computer Programming Education Conference (ICPEC 2025)},
  pages =	{4:1--4:14},
  series =	{Open Access Series in Informatics (OASIcs)},
  ISBN =	{978-3-95977-393-5},
  ISSN =	{2190-6807},
  year =	{2025},
  volume =	{133},
  editor =	{Queir\'{o}s, Ricardo and Pinto, M\'{a}rio and Portela, Filipe and Sim\~{o}es, Alberto},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/OASIcs.ICPEC.2025.4},
  URN =		{urn:nbn:de:0030-drops-240340},
  doi =		{10.4230/OASIcs.ICPEC.2025.4},
  annote =	{Keywords: Large Language Models (LLMs), Secure Coding, CWE Classification, Machine Learning, Software Vulnerability Detection, Artificial Intelligence, Code Analysis, Big-Vul Dataset}
}
Document
DOI: 10.4230/OASIcs.ICPEC.2025.9
Are We There Yet? On Security Vulnerabilities Produced by Open Source Generative AI Models and Its Implications for Security Education

Authors: Maria Camila Santos Galeano, Tiago Espinha Gasiba, Sathwik Amburi, and Maria Pinto-Albuquerque

Published in: OASIcs, Volume 133, 6th International Computer Programming Education Conference (ICPEC 2025)

Abstract
With the increasing integration of large language models (LLMs) into software development and programming education, concerns have emerged about the security of AI-generated code. This study investigates the security of three open source code generation models. Codestral, DeepSeek R1, and LLaMA 3.3 70B using structured prompts in Python, C, and Java. Some prompts were designed to explicitly trigger known vulnerability patterns, such as unsanitized input handling or unsafe memory operations, in order to assess how each model responds to security-sensitive tasks. The findings reveal recurring issues, including command execution vulnerabilities, insecure memory handling, and insufficient input validation. In response, we propose a set of recommendations for integrating secure prompt design and code auditing practices into developer training. These guidelines aim to help future developers generate safer code and better identify flaws in GenAI-generated output. This work offers an initial analysis of the limitations of GenAI-assisted code generation and provides actionable strategies to support the more secure and responsible use of these tools in professional and educational contexts.
Cite as

Maria Camila Santos Galeano, Tiago Espinha Gasiba, Sathwik Amburi, and Maria Pinto-Albuquerque. Are We There Yet? On Security Vulnerabilities Produced by Open Source Generative AI Models and Its Implications for Security Education. In 6th International Computer Programming Education Conference (ICPEC 2025). Open Access Series in Informatics (OASIcs), Volume 133, pp. 9:1-9:12, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2025)

Copy BibTex To Clipboard

@InProceedings{santosgaleano_et_al:OASIcs.ICPEC.2025.9,
  author =	{Santos Galeano, Maria Camila and Espinha Gasiba, Tiago and Amburi, Sathwik and Pinto-Albuquerque, Maria},
  title =	{{Are We There Yet? On Security Vulnerabilities Produced by Open Source Generative AI Models and Its Implications for Security Education}},
  booktitle =	{6th International Computer Programming Education Conference (ICPEC 2025)},
  pages =	{9:1--9:12},
  series =	{Open Access Series in Informatics (OASIcs)},
  ISBN =	{978-3-95977-393-5},
  ISSN =	{2190-6807},
  year =	{2025},
  volume =	{133},
  editor =	{Queir\'{o}s, Ricardo and Pinto, M\'{a}rio and Portela, Filipe and Sim\~{o}es, Alberto},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/OASIcs.ICPEC.2025.9},
  URN =		{urn:nbn:de:0030-drops-240395},
  doi =		{10.4230/OASIcs.ICPEC.2025.9},
  annote =	{Keywords: Generative AI, Code Security, Programming Education, Prompt Engineering, Secure Coding, Static Analysis}
}
Document
Complete Volume
DOI: 10.4230/OASIcs.ICPEC.2024
OASIcs, Volume 122, ICPEC 2024, Complete Volume

Authors: André L. Santos and Maria Pinto-Albuquerque

Published in: OASIcs, Volume 122, 5th International Computer Programming Education Conference (ICPEC 2024)

Abstract
OASIcs, Volume 122, ICPEC 2024, Complete Volume
Cite as

5th International Computer Programming Education Conference (ICPEC 2024). Open Access Series in Informatics (OASIcs), Volume 122, pp. 1-238, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2024)

Copy BibTex To Clipboard

@Proceedings{santos_et_al:OASIcs.ICPEC.2024,
  title =	{{OASIcs, Volume 122, ICPEC 2024, Complete Volume}},
  booktitle =	{5th International Computer Programming Education Conference (ICPEC 2024)},
  pages =	{1--238},
  series =	{Open Access Series in Informatics (OASIcs)},
  ISBN =	{978-3-95977-347-8},
  ISSN =	{2190-6807},
  year =	{2024},
  volume =	{122},
  editor =	{Santos, Andr\'{e} L. and Pinto-Albuquerque, Maria},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/OASIcs.ICPEC.2024},
  URN =		{urn:nbn:de:0030-drops-209684},
  doi =		{10.4230/OASIcs.ICPEC.2024},
  annote =	{Keywords: OASIcs, Volume 122, ICPEC 2024, Complete Volume}
}
Document
Front Matter
DOI: 10.4230/OASIcs.ICPEC.2024.0
Front Matter, Table of Contents, Preface, Conference Organization

Authors: André L. Santos and Maria Pinto-Albuquerque

Published in: OASIcs, Volume 122, 5th International Computer Programming Education Conference (ICPEC 2024)

Abstract
Front Matter, Table of Contents, Preface, Conference Organization
Cite as

5th International Computer Programming Education Conference (ICPEC 2024). Open Access Series in Informatics (OASIcs), Volume 122, pp. 0:i-0:xii, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2024)

Copy BibTex To Clipboard

@InProceedings{santos_et_al:OASIcs.ICPEC.2024.0,
  author =	{Santos, Andr\'{e} L. and Pinto-Albuquerque, Maria},
  title =	{{Front Matter, Table of Contents, Preface, Conference Organization}},
  booktitle =	{5th International Computer Programming Education Conference (ICPEC 2024)},
  pages =	{0:i--0:xii},
  series =	{Open Access Series in Informatics (OASIcs)},
  ISBN =	{978-3-95977-347-8},
  ISSN =	{2190-6807},
  year =	{2024},
  volume =	{122},
  editor =	{Santos, Andr\'{e} L. and Pinto-Albuquerque, Maria},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/OASIcs.ICPEC.2024.0},
  URN =		{urn:nbn:de:0030-drops-209694},
  doi =		{10.4230/OASIcs.ICPEC.2024.0},
  annote =	{Keywords: Front Matter, Table of Contents, Preface, Conference Organization}
}
Document
DOI: 10.4230/OASIcs.ICPEC.2024.14
Code Review for CyberSecurity in the Industry: Insights from Gameplay Analytics

Authors: Andrei-Cristian Iosif, Ulrike Lechner, Maria Pinto-Albuquerque, and Tiago Espinha Gasiba

Published in: OASIcs, Volume 122, 5th International Computer Programming Education Conference (ICPEC 2024)

Abstract
In pursuing a secure software development lifecycle, industrial developers employ a combination of automated and manual techniques to mitigate vulnerabilities in source code. Among manual techniques, code review is a promising approach, with growing interest within the industry around it. However, the effectiveness of code reviews for security purposes relies on developers' empowerment and awareness, particularly in the domain-specific knowledge required for identifying security issues. Our study explores the use of DuckDebugger, a serious game designed specifically to enhance industrial practitioners' security knowledge for code reviews. By exploring analytics data collected from game interactions, we provide insights into player behavior and explore how the game influences their approach to security-focused code reviews. Altogether, we explore data from 13 events conducted in the industry together with 224 practitioners, and derive metrics such as the time it takes participants spend to reviewing a line of code and the time required to compose a comment. We offer empirical indicators on how serious games may effectively be utilized to empower developers, propose potential design improvements for educational tools, and discuss broader implications for the use of Serious Games in industrial settings. Furthermore, our discussion extends to include a discussion outlining the next steps for our work, together with possible limitations.
Cite as

Andrei-Cristian Iosif, Ulrike Lechner, Maria Pinto-Albuquerque, and Tiago Espinha Gasiba. Code Review for CyberSecurity in the Industry: Insights from Gameplay Analytics. In 5th International Computer Programming Education Conference (ICPEC 2024). Open Access Series in Informatics (OASIcs), Volume 122, pp. 14:1-14:11, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2024)

Copy BibTex To Clipboard

@InProceedings{iosif_et_al:OASIcs.ICPEC.2024.14,
  author =	{Iosif, Andrei-Cristian and Lechner, Ulrike and Pinto-Albuquerque, Maria and Espinha Gasiba, Tiago},
  title =	{{Code Review for CyberSecurity in the Industry: Insights from Gameplay Analytics}},
  booktitle =	{5th International Computer Programming Education Conference (ICPEC 2024)},
  pages =	{14:1--14:11},
  series =	{Open Access Series in Informatics (OASIcs)},
  ISBN =	{978-3-95977-347-8},
  ISSN =	{2190-6807},
  year =	{2024},
  volume =	{122},
  editor =	{Santos, Andr\'{e} L. and Pinto-Albuquerque, Maria},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/OASIcs.ICPEC.2024.14},
  URN =		{urn:nbn:de:0030-drops-209836},
  doi =		{10.4230/OASIcs.ICPEC.2024.14},
  annote =	{Keywords: Cybersecurity, Code Review, Developer Empowerment}
}
Document
DOI: 10.4230/OASIcs.ICPEC.2024.16
To Kill a Mocking Bug: Open Source Repo Mining of Security Patches for Programming Education

Authors: Andrei-Cristian Iosif, Tiago Espinha Gasiba, Ulrike Lechner, and Maria Pinto-Albuquerque

Published in: OASIcs, Volume 122, 5th International Computer Programming Education Conference (ICPEC 2024)

Abstract
The use of third-party components (TPCs) and open-source software (OSS) has become increasingly popular in software development, and this trend has also increased the chance of detecting security vulnerabilities. Understanding practical recurring vulnerabilities that occur in real-world applications (TPCs and OSS) is a very important step to educate not only aspiring software developers, but also seasoned ones. To achieve this goal, we analyze publicly available OSS software on GitHub to identify the most common security vulnerabilities and their frequency of occurrence between 2009 and 2022. Our work looks at programming language and type of vulnerability and also analyses the number of code lines needed to be changed to fix different vulnerabilities. Furthermore, our work contributes to the understanding of real-world and human-made data quality required for training machine learning algorithms by highlighting the importance of homogeneous and complete data. We provide insights for both developers and researchers seeking to improve cybersecurity in software education and mitigate risks associated with OSS and TPCs. Finally, our analysis contributes to software education by shedding light on common sources of poor code quality and the effort required to fix different vulnerabilities.
Cite as

Andrei-Cristian Iosif, Tiago Espinha Gasiba, Ulrike Lechner, and Maria Pinto-Albuquerque. To Kill a Mocking Bug: Open Source Repo Mining of Security Patches for Programming Education. In 5th International Computer Programming Education Conference (ICPEC 2024). Open Access Series in Informatics (OASIcs), Volume 122, pp. 16:1-16:12, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2024)

Copy BibTex To Clipboard

@InProceedings{iosif_et_al:OASIcs.ICPEC.2024.16,
  author =	{Iosif, Andrei-Cristian and Espinha Gasiba, Tiago and Lechner, Ulrike and Pinto-Albuquerque, Maria},
  title =	{{To Kill a Mocking Bug: Open Source Repo Mining of Security Patches for Programming Education}},
  booktitle =	{5th International Computer Programming Education Conference (ICPEC 2024)},
  pages =	{16:1--16:12},
  series =	{Open Access Series in Informatics (OASIcs)},
  ISBN =	{978-3-95977-347-8},
  ISSN =	{2190-6807},
  year =	{2024},
  volume =	{122},
  editor =	{Santos, Andr\'{e} L. and Pinto-Albuquerque, Maria},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/OASIcs.ICPEC.2024.16},
  URN =		{urn:nbn:de:0030-drops-209853},
  doi =		{10.4230/OASIcs.ICPEC.2024.16},
  annote =	{Keywords: Open-source software, Software quality, Cybersecurity, Repository Mining}
}
Document
DOI: 10.4230/OASIcs.ICPEC.2024.17
Improving Industrial Cybersecurity Training: Insights into Code Reviews Using Eye-Tracking

Authors: Samuel Riegel Correia, Maria Pinto-Albuquerque, Tiago Espinha Gasiba, and Andrei-Cristian Iosif

Published in: OASIcs, Volume 122, 5th International Computer Programming Education Conference (ICPEC 2024)

Abstract
In industrial cybersecurity, effective mitigation of vulnerabilities is crucial. This study investigates the importance of code reviews among cybersecurity professionals and analyses their performance in identifying vulnerabilities using eye-tracking technology. With the insights gained from this study, we aim to inform future tools and training in cybersecurity, particularly in the context of code reviews. Through a survey of industry experts, we reveal what tasks industry professionals consider the most important in mitigating cybersecurity vulnerabilities. A study was conducted to analyse how industrial cybersecurity professionals look at code during code reviews. We determined the types of issues our participants most easily discovered and linked our results with patterns and data obtained from an eye-tracking device used during the study. Our findings underscore the pivotal role of code reviews in cybersecurity and provide valuable insights for industrial professionals and researchers alike.
Cite as

Samuel Riegel Correia, Maria Pinto-Albuquerque, Tiago Espinha Gasiba, and Andrei-Cristian Iosif. Improving Industrial Cybersecurity Training: Insights into Code Reviews Using Eye-Tracking. In 5th International Computer Programming Education Conference (ICPEC 2024). Open Access Series in Informatics (OASIcs), Volume 122, pp. 17:1-17:9, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2024)

Copy BibTex To Clipboard

@InProceedings{riegelcorreia_et_al:OASIcs.ICPEC.2024.17,
  author =	{Riegel Correia, Samuel and Pinto-Albuquerque, Maria and Espinha Gasiba, Tiago and Iosif, Andrei-Cristian},
  title =	{{Improving Industrial Cybersecurity Training: Insights into Code Reviews Using Eye-Tracking}},
  booktitle =	{5th International Computer Programming Education Conference (ICPEC 2024)},
  pages =	{17:1--17:9},
  series =	{Open Access Series in Informatics (OASIcs)},
  ISBN =	{978-3-95977-347-8},
  ISSN =	{2190-6807},
  year =	{2024},
  volume =	{122},
  editor =	{Santos, Andr\'{e} L. and Pinto-Albuquerque, Maria},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/OASIcs.ICPEC.2024.17},
  URN =		{urn:nbn:de:0030-drops-209863},
  doi =		{10.4230/OASIcs.ICPEC.2024.17},
  annote =	{Keywords: code review, cybersecurity, development lifecycle, eye-tracking}
}
Document
DOI: 10.4230/OASIcs.ICPEC.2024.20
Use of Programming Aids in Undergraduate Courses

Authors: Ana Rita Peixoto, André Glória, José Luís Silva, Maria Pinto-Albuquerque, Tomás Brandão, and Luís Nunes

Published in: OASIcs, Volume 122, 5th International Computer Programming Education Conference (ICPEC 2024)

Abstract
The use of external tips and applications to help with programming assignments, by novice programmers, is a double-edged sword, it can help by showing examples of problem-solving strategies, but it can also prevent learning because recognizing a good solution is not the same skill as creating one. A study was conducted during the 2superscript{nd} semester of 23/24 in the course of Object Oriented Programming to help understand the impact of the programming aids in learning. The main questions that drove this study were: Which type(s) of assistance do students use when learning to program? When / where do they use it? Does it affect grades? Results, even though with a relatively small sample, seem to indicate that students who used aids have a perception of improved learning when using advice from Colleagues, Copilot-style tools, and Large Language Models. Results of correlating average grades with the usage of tools suggest that experience in using these tools is key for its successful use, but, contrary to students' perceptions, learning gains are marginal in the end result.
Cite as

Ana Rita Peixoto, André Glória, José Luís Silva, Maria Pinto-Albuquerque, Tomás Brandão, and Luís Nunes. Use of Programming Aids in Undergraduate Courses. In 5th International Computer Programming Education Conference (ICPEC 2024). Open Access Series in Informatics (OASIcs), Volume 122, pp. 20:1-20:9, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2024)

Copy BibTex To Clipboard

@InProceedings{peixoto_et_al:OASIcs.ICPEC.2024.20,
  author =	{Peixoto, Ana Rita and Gl\'{o}ria, Andr\'{e} and Silva, Jos\'{e} Lu{\'\i}s and Pinto-Albuquerque, Maria and Brand\~{a}o, Tom\'{a}s and Nunes, Lu{\'\i}s},
  title =	{{Use of Programming Aids in Undergraduate Courses}},
  booktitle =	{5th International Computer Programming Education Conference (ICPEC 2024)},
  pages =	{20:1--20:9},
  series =	{Open Access Series in Informatics (OASIcs)},
  ISBN =	{978-3-95977-347-8},
  ISSN =	{2190-6807},
  year =	{2024},
  volume =	{122},
  editor =	{Santos, Andr\'{e} L. and Pinto-Albuquerque, Maria},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/OASIcs.ICPEC.2024.20},
  URN =		{urn:nbn:de:0030-drops-209894},
  doi =		{10.4230/OASIcs.ICPEC.2024.20},
  annote =	{Keywords: Teaching Programming, Programming aids}
}
Document
DOI: 10.4230/OASIcs.ICPEC.2023.2
I'm Sorry Dave, I'm Afraid I Can't Fix Your Code: On ChatGPT, CyberSecurity, and Secure Coding

Authors: Tiago Espinha Gasiba, Kaan Oguzhan, Ibrahim Kessba, Ulrike Lechner, and Maria Pinto-Albuquerque

Published in: OASIcs, Volume 112, 4th International Computer Programming Education Conference (ICPEC 2023)

Abstract
Software security is an important topic that is gaining more and more attention due to the rising number of publicly known cybersecurity incidents. Previous research has shown that one way to address software security is by means of a serious game, the CyberSecurity Challenges, which are designed to raise awareness of software developers of secure coding guidelines. This game, which has been proven to be very successful in the industry, makes use of an artificial intelligence technique (laddering technique) to implement a chatbot for human-machine interaction. Recent advances in machine learning led to a breakthrough, with the implementation of ChatGPT by OpenAI. This algorithm has been trained in a large amount of data and is capable of analysing and interpreting not only natural language, but also small code snippets containing source code in different programming languages. With the advent of ChatGPT, and previous state-of-the-art research in secure software development, a natural question arises: to which extent can ChatGPT aid software developers in writing secure software?. In this paper, we draw on our experience in the industry, and also on extensive previous work to analyse and reflect on how to use ChatGPT to aid secure software development. Towards this, we run a small experiment using five different vulnerable code snippets. Our interactions with ChatGPT allow us to conclude on advantages, disadvantages and limitations of the usage of this new technology.
Cite as

Tiago Espinha Gasiba, Kaan Oguzhan, Ibrahim Kessba, Ulrike Lechner, and Maria Pinto-Albuquerque. I'm Sorry Dave, I'm Afraid I Can't Fix Your Code: On ChatGPT, CyberSecurity, and Secure Coding. In 4th International Computer Programming Education Conference (ICPEC 2023). Open Access Series in Informatics (OASIcs), Volume 112, pp. 2:1-2:12, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2023)

Copy BibTex To Clipboard

@InProceedings{espinhagasiba_et_al:OASIcs.ICPEC.2023.2,
  author =	{Espinha Gasiba, Tiago and Oguzhan, Kaan and Kessba, Ibrahim and Lechner, Ulrike and Pinto-Albuquerque, Maria},
  title =	{{I'm Sorry Dave, I'm Afraid I Can't Fix Your Code: On ChatGPT, CyberSecurity, and Secure Coding}},
  booktitle =	{4th International Computer Programming Education Conference (ICPEC 2023)},
  pages =	{2:1--2:12},
  series =	{Open Access Series in Informatics (OASIcs)},
  ISBN =	{978-3-95977-290-7},
  ISSN =	{2190-6807},
  year =	{2023},
  volume =	{112},
  editor =	{Peixoto de Queir\'{o}s, Ricardo Alexandre and Teixeira Pinto, M\'{a}rio Paulo},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/OASIcs.ICPEC.2023.2},
  URN =		{urn:nbn:de:0030-drops-184986},
  doi =		{10.4230/OASIcs.ICPEC.2023.2},
  annote =	{Keywords: Serious Games, IT-Security, Machine Learning, ChatGPT, Secure Coding, Industry, Software Development, Teaching}
}
Document
DOI: 10.4230/OASIcs.ICPEC.2022.6
Cloud of Assets and Threats: A Playful Method to Raise Awareness for Cloud Security in Industry

Authors: Tiange Zhao, Ulrike Lechner, Maria Pinto-Albuquerque, and Ece Ata

Published in: OASIcs, Volume 102, Third International Computer Programming Education Conference (ICPEC 2022)

Abstract
Cloud computing has become a convenient technology widely used in industry, providing profit and flexibility to companies. Many enterprises embrace cloud service by migrating their products and solutions from on-premise to cloud environments. Cloud assets and applications are vulnerable to security challenges if not adequately protected. Regulations, standards and guidelines aim to enforce cloud security controls in the industry and practitioners need training to raise awareness of cloud security issues and learn about the defense mechanisms and controls. We propose a serious game Cloud of Assets and Threats (CAT) for enhancing cloud security awareness of industrial practitioners. This study extends first results of applying such a serious game in industry [Zhao et al., 2021] and refines its design in two iterations. In the first design iteration, we implemented a digital game platform with six attack scenarios and developed a new player versus environment gaming mode. In the second design iteration, we adjusted the attack scenarios and introduced different difficulty levels for the scenarios. We present, analyse, and discuss the game events. We conclude that CAT is a promising method to raise awareness for cloud security in the industry.
Cite as

Tiange Zhao, Ulrike Lechner, Maria Pinto-Albuquerque, and Ece Ata. Cloud of Assets and Threats: A Playful Method to Raise Awareness for Cloud Security in Industry. In Third International Computer Programming Education Conference (ICPEC 2022). Open Access Series in Informatics (OASIcs), Volume 102, pp. 6:1-6:13, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2022)

Copy BibTex To Clipboard

@InProceedings{zhao_et_al:OASIcs.ICPEC.2022.6,
  author =	{Zhao, Tiange and Lechner, Ulrike and Pinto-Albuquerque, Maria and Ata, Ece},
  title =	{{Cloud of Assets and Threats: A Playful Method to Raise Awareness for Cloud Security in Industry}},
  booktitle =	{Third International Computer Programming Education Conference (ICPEC 2022)},
  pages =	{6:1--6:13},
  series =	{Open Access Series in Informatics (OASIcs)},
  ISBN =	{978-3-95977-229-7},
  ISSN =	{2190-6807},
  year =	{2022},
  volume =	{102},
  editor =	{Sim\~{o}es, Alberto and Silva, Jo\~{a}o Carlos},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/OASIcs.ICPEC.2022.6},
  URN =		{urn:nbn:de:0030-drops-166107},
  doi =		{10.4230/OASIcs.ICPEC.2022.6},
  annote =	{Keywords: Cloud security, Cloud control matrix, Shared-responsibility model, Industry, Training, Gamification}
}
Document
DOI: 10.4230/OASIcs.ICPEC.2021.10
Automated Java Challenges' Security Assessment for Training in Industry - Preliminary Results

Authors: Luís Afonso Casqueiro, Tiago Espinha Gasiba, Maria Pinto-Albuquerque, and Ulrike Lechner

Published in: OASIcs, Volume 91, Second International Computer Programming Education Conference (ICPEC 2021)

Abstract
Secure software development is a crucial topic that companies need to address to develop high-quality software. However, it has been shown that software developers lack secure coding awareness. In this work, we use a serious game approach that presents players with Java challenges to raise Java programmers' secure coding awareness. Towards this, we adapted an existing platform, embedded in a serious game, to assess Java secure coding exercises and performed an empirical study. Our preliminary results provide a positive indication of our solution’s viability as a means of secure software development training. Our contribution can be used by practitioners and researchers alike through an overview on the implementation of automatic security assessment of Java CyberSecurity Challenges and their evaluation in an industrial context.
Cite as

Luís Afonso Casqueiro, Tiago Espinha Gasiba, Maria Pinto-Albuquerque, and Ulrike Lechner. Automated Java Challenges' Security Assessment for Training in Industry - Preliminary Results. In Second International Computer Programming Education Conference (ICPEC 2021). Open Access Series in Informatics (OASIcs), Volume 91, pp. 10:1-10:11, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2021)

Copy BibTex To Clipboard

@InProceedings{casqueiro_et_al:OASIcs.ICPEC.2021.10,
  author =	{Casqueiro, Lu{\'\i}s Afonso and Gasiba, Tiago Espinha and Pinto-Albuquerque, Maria and Lechner, Ulrike},
  title =	{{Automated Java Challenges' Security Assessment for Training in Industry - Preliminary Results}},
  booktitle =	{Second International Computer Programming Education Conference (ICPEC 2021)},
  pages =	{10:1--10:11},
  series =	{Open Access Series in Informatics (OASIcs)},
  ISBN =	{978-3-95977-194-8},
  ISSN =	{2190-6807},
  year =	{2021},
  volume =	{91},
  editor =	{Henriques, Pedro Rangel and Portela, Filipe and Queir\'{o}s, Ricardo and Sim\~{o}es, Alberto},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/OASIcs.ICPEC.2021.10},
  URN =		{urn:nbn:de:0030-drops-142269},
  doi =		{10.4230/OASIcs.ICPEC.2021.10},
  annote =	{Keywords: Education, Teaching, Training, Awareness, Secure Coding, Industry, Programming, Cybersecurity, Capture-the-Flag, Intelligent Coach}
}
Document
Short Paper
DOI: 10.4230/OASIcs.ICPEC.2021.11
Exploring a Board Game to Improve Cloud Security Training in Industry (Short Paper)

Authors: Tiange Zhao, Tiago Espinha Gasiba, Ulrike Lechner, and Maria Pinto-Albuquerque

Published in: OASIcs, Volume 91, Second International Computer Programming Education Conference (ICPEC 2021)

Abstract
Nowadays, companies are increasingly using cloud-based platform for its convenience and flexibility. However, companies still need to protect their assets when deploying their infrastructure in the cloud. Over the last years, the number of cloud-specific vulnerabilities has been increasing. In this work, we introduce a serious game to help participants to understand the inherent risks, understand the different roles, and to encourage proactive defensive thinking. Our game includes an automated evaluator as a novel element. The players are invited to build defense plans and attack plans, which will be checked by the evaluator. We design the game and organize a trial-run in an industrial setting. Our preliminary results bring insight into the design of such a game, and constitute the first step in a research using design science.
Cite as

Tiange Zhao, Tiago Espinha Gasiba, Ulrike Lechner, and Maria Pinto-Albuquerque. Exploring a Board Game to Improve Cloud Security Training in Industry (Short Paper). In Second International Computer Programming Education Conference (ICPEC 2021). Open Access Series in Informatics (OASIcs), Volume 91, pp. 11:1-11:8, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2021)

Copy BibTex To Clipboard

@InProceedings{zhao_et_al:OASIcs.ICPEC.2021.11,
  author =	{Zhao, Tiange and Gasiba, Tiago Espinha and Lechner, Ulrike and Pinto-Albuquerque, Maria},
  title =	{{Exploring a Board Game to Improve Cloud Security Training in Industry}},
  booktitle =	{Second International Computer Programming Education Conference (ICPEC 2021)},
  pages =	{11:1--11:8},
  series =	{Open Access Series in Informatics (OASIcs)},
  ISBN =	{978-3-95977-194-8},
  ISSN =	{2190-6807},
  year =	{2021},
  volume =	{91},
  editor =	{Henriques, Pedro Rangel and Portela, Filipe and Queir\'{o}s, Ricardo and Sim\~{o}es, Alberto},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/OASIcs.ICPEC.2021.11},
  URN =		{urn:nbn:de:0030-drops-142276},
  doi =		{10.4230/OASIcs.ICPEC.2021.11},
  annote =	{Keywords: cloud security, cloud control matrix, shared-responsibility model, industry, training, gamification}
}
Document
DOI: 10.4230/OASIcs.ICPEC.2020.10
Cybersecurity Games for Secure Programming Education in the Industry: Gameplay Analysis

Authors: Tiago Gasiba, Ulrike Lechner, Filip Rezabek, and Maria Pinto-Albuquerque

Published in: OASIcs, Volume 81, First International Computer Programming Education Conference (ICPEC 2020)

Abstract
To minimize the possibility of introducing vulnerabilities in source code, software developers may attend security awareness and secure coding training. From the various approaches of how to raise awareness and adherence to coding standards, one promising novel approach is Cybersecurity Challenges. However, in an industrial setting, time is a precious resource, and, therefore, one needs to understand how to optimize the gaming experience of Cybersecurity Challenges and the effect of this game on secure coding skills. This work identifies the time spent solving challenges of different categories, analyzes gaming strategies in terms of a slow and fast team profile, and relates these profiles to the game success. First results indicate that the slow strategy is more successful than the fast approach. The authors also analyze the possible implications in the design and the training of secure coding in an industrial setting by means of Cybersecurity Challenges. This work concludes with a brief overview of its limitations and next steps in the study.
Cite as

Tiago Gasiba, Ulrike Lechner, Filip Rezabek, and Maria Pinto-Albuquerque. Cybersecurity Games for Secure Programming Education in the Industry: Gameplay Analysis. In First International Computer Programming Education Conference (ICPEC 2020). Open Access Series in Informatics (OASIcs), Volume 81, pp. 10:1-10:11, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2020)

Copy BibTex To Clipboard

@InProceedings{gasiba_et_al:OASIcs.ICPEC.2020.10,
  author =	{Gasiba, Tiago and Lechner, Ulrike and Rezabek, Filip and Pinto-Albuquerque, Maria},
  title =	{{Cybersecurity Games for Secure Programming Education in the Industry: Gameplay Analysis}},
  booktitle =	{First International Computer Programming Education Conference (ICPEC 2020)},
  pages =	{10:1--10:11},
  series =	{Open Access Series in Informatics (OASIcs)},
  ISBN =	{978-3-95977-153-5},
  ISSN =	{2190-6807},
  year =	{2020},
  volume =	{81},
  editor =	{Queir\'{o}s, Ricardo and Portela, Filipe and Pinto, M\'{a}rio and Sim\~{o}es, Alberto},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/OASIcs.ICPEC.2020.10},
  URN =		{urn:nbn:de:0030-drops-122977},
  doi =		{10.4230/OASIcs.ICPEC.2020.10},
  annote =	{Keywords: education, training, secure coding, industry, cybersecurity, capture-the-flag, game analysis, cybersecurity challenge}
}
Questions / Remarks / Feedback
X

Feedback for Dagstuhl Publishing


Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail
© 2023-2025 Schloss Dagstuhl – LZI GmbH About DROPS Imprint Privacy Contact