This research work is based upon the new Microsoft DigiSpark outreach project initiated by the computer science (CS) program at the University of Wisconsin - Green Bay (UWGB) in an effort to engage K-12 female learner...
详细信息
ISBN:
(纸本)9781728108216
This research work is based upon the new Microsoft DigiSpark outreach project initiated by the computer science (CS) program at the University of Wisconsin - Green Bay (UWGB) in an effort to engage K-12 female learners in CS. It describes our unique experiential learning approach combining robotics and cybersecurity, which has been adopted in the outreach workshop sessions as part of our project. Our project involves the use of the NAO humanoid robots in order to successfully engage middle-school and high-school female students, who are underrepresented in CS. These outreach workshop sessions have exposed the young female participants to defensive computer programming, and computing security topics by providing them the hands-on opportunity to write secure code for programming the NAO, and to carry out an ethical hack on the NAO in order to explore robotic system vulnerabilities. Existing literature shows that there is limited work on the efficacy of teaching secure- coding and ethicalhacking related computer-security topics using a roboticplatform. Prior work indicate that a robotic-platform can be an effective and engaging medium for teaching computer-security. However, our proposed approach of teaching secure coding and ethical hacking through hands-on exercises with NAO is a firstof-its-kind experiment with female students at the K-12 level. As preliminary evidence of the effectiveness and potential of this novel approach, we discuss our preliminary experimental results, including initial participant interests and survey data, from the multiple NAO secure coding and NAO ethical hacking workshop sessions, which we have conducted with high-school and middle-school female learners.
Industrial Control Systems (ICS) are the vital part of modern critical infrastructures. Recent attacks to ICS indicate that these systems have various types of vulnerabilities. A large number of vulnerabilities are du...
详细信息
Industrial Control Systems (ICS) are the vital part of modern critical infrastructures. Recent attacks to ICS indicate that these systems have various types of vulnerabilities. A large number of vulnerabilities are due to secure coding problems in industrial applications. Several international and national organizations like: NIST, DHS, and US-CERT have provided extensive documentation on securing ICS;however proper details on securing software application for industrial setting were not presented. The notable point that makes securing a difficult task is the contradictions between security priorities in ICS and IT systems. In addition, none of the guidelines highlights the implications on modification of general IT security solutions to industrial settings. Moreover based on the best of our knowledge, steps to develop a successful real-world secure industrial application have not been reported. In this paper, the first attempts to employ secure coding best practices into a real world industrial application (Supervisory Control and Data Acquisition) called OpenSCADA is presented. Experiments indicate that resolving the vulnerabilities of OpenSCADA in addition to possible improvement in its availability, does not jeopardize other dimensions of security. In addition, all experiments are backed up with proper statistical tests to see whether or not, improvements are statistically significant.
Today's software allows data transfer with the use of internet. Therefore, there is always a threat of attack by hackers. These security weaknesses cause a critical economic loss which is a direct cause of softwar...
详细信息
Today's software allows data transfer with the use of internet. Therefore, there is always a threat of attack by hackers. These security weaknesses cause a critical economic loss which is a direct cause of software security invasion accidents. Recently in order to solve these security weaknesses, rather than strengthening the security system from the external environment, many have started to realize it is essential and most efficient for programmers to develop stronger software. Internationally, resolving software weakness from the coding stage to prevent security incidents by providing a coding guide is rising as a security issue. Especially, user demands of software are becoming enormous and complicated. In order to reduce weaknesses that could lie in the software have to be removed and the costs for these increases as the development process progresses. This leads to issues nowadays with removing the security weaknesses from the coding stage. This technique is called secure coding and not only is the academic and the industrial world showing interest in this technique, but also national agencies are showing great interest. Especially in Korea, the electronic government business has decided to introduce secure coding and all developed programs will apply the security coding methodology. Rule checker, the object of study of this research, is a core tool for secure coding which is used to analyze security weaknesses existing in programs using a rule base. Especially, it can be used in the developmental stage and examination stage which makes an efficient composition of rule checker very important. In this research, a maximized technique to compose a rule checker with most efficiency has been proposed.
Software security is an important topic that is gaining more and more attention due to the rising number of publicly known cybersecurity incidents. Previous research has shown that one way to address software security...
详细信息
Software security is an important topic that is gaining more and more attention due to the rising number of publicly known cybersecurity incidents. Previous research has shown that one way to address software security is by means of a serious game, the CyberSecurity Challenges, which are designed to raise awareness of software developers of secure coding guidelines. This game, proven to be very successful in the industry, makes use of an artificial intelligence technique (laddering technique) to implement a chatbot for human-machine interaction. Recent advances in machine learning have led to a breakthrough, with the implementation and release of large language models, now freely available to the public. Such models are trained on a large amount of data and are capable of analyzing and interpreting not only natural language but also source code in different programming languages. With the advent of ChatGPT, and previous state-of-the-art research in secure software development, a natural question arises: to what extent can ChatGPT aid software developers in writing secure software? In this work, we draw on our experience in the industry, and also on extensive previous work to analyze and reflect on how to use ChatGPT to aid secure software development. Towards this, we conduct two experiments with large language models. Our engagements with ChatGPT and our experience in the field allow us to draw conclusions on the advantages, disadvantages, and limitations of the usage of this new technology.
secure coding is crucial for the design of secure and efficient software and computing systems. However, many programmers avoid secure coding practices for a variety of reasons. Some of these reasons are lack of knowl...
详细信息
secure coding is crucial for the design of secure and efficient software and computing systems. However, many programmers avoid secure coding practices for a variety of reasons. Some of these reasons are lack of knowledge of secure coding standards, negligence, and poor performance of and usability issues with existing code analysis tools. Therefore, it is essential to create tools that address these issues and concerns. This article features the proposal, development, and evaluation of a recommender system that uses text mining techniques, coupled with IntelliSense technology, to recommend fixes for potential vulnerabilities in program code. The resulting system mines a large code base of over 1.6 million Java files using the MapReduce methodology, creating a knowledge base for a recommender system that provides fixes for taint-style vulnerabilities. Formative testing and a usability study determined that surveyed participants strongly believed that a recommender system would help programmers write more secure code.
The Java platform and its third-party libraries provide useful features to facilitate secure coding. However, misusing them can cost developers time and effort, as well as introduce security vulnerabilities in softwar...
详细信息
ISBN:
(纸本)9781450356381
The Java platform and its third-party libraries provide useful features to facilitate secure coding. However, misusing them can cost developers time and effort, as well as introduce security vulnerabilities in software. We conducted an empirical study on StackOverflow posts, aiming to understand developers' concerns on Java secure coding, their programming obstacles, and insecure coding practices. We observed a wide adoption of the authentication and authorization features provided by Spring Security-a third-party framework designed to secure enterprise applications. We found that programming challenges are usually related to APIs or libraries, including the complicated cross-language data handling of cryptography APIs, and the complex Java-based or XML-based approaches to configure Spring Security. In addition, we reported multiple security vulnerabilities in the suggested code of accepted answers on the StackOverflow forum. The vulnerabilities included disabling the default protection against Cross-Site Request Forgery (CSRF) attacks, breaking SSL/TLS security through bypassing certificate validation, and using insecure cryptographic hash functions. Our findings reveal the insufficiency of secure coding assistance and documentation, as well as the huge gap between security theory and coding practices.
Cloud computing has enabled remarkable progress by providing many advantages such as low initial cost, high scalability and flexibility, and low maintenance cost. The success of cloud computing allows developers who w...
详细信息
ISBN:
(纸本)9783031054129;9783031054112
Cloud computing has enabled remarkable progress by providing many advantages such as low initial cost, high scalability and flexibility, and low maintenance cost. The success of cloud computing allows developers who want to make various microservices to get interested in serverless applications. However, although many studies have been conducted on the development of serverless applications based on cloud computing over the past few years, the focus is mainly on the security of the cloud computing infrastructure, thus there are few studies on serverless application security itself. In this paper, we analyze security vulnerabilities for serverless applications on cloud computing and present their secure coding techniques. To be effective in practice, the architecture for AWS based serverless applications is designed, and five major security vulnerabilities are identified using the STRIDE threat methodology. Moreover, we provide secure codes for the identified five major security vulnerabilities that will help make more secure serverless applications.
To keep up with the growing number of cyber-attacks and associated threats, there is an ever-increasing demand for cybersecurity professionals and new methods and technologies. Training new cybersecurity professionals...
详细信息
ISBN:
(纸本)9798400706004
To keep up with the growing number of cyber-attacks and associated threats, there is an ever-increasing demand for cybersecurity professionals and new methods and technologies. Training new cybersecurity professionals is a challenging task due to the broad scope of the area. One particular field where there is a shortage of experts is Ethical Hacking. Due to its complexity, it often faces educational constraints. Recognizing these challenges, we propose a solution: integrating a real-world bug bounty programme into the cybersecurity curriculum. This innovative approach aims to fill the practical cybersecurity education gap and brings additional positive benefits. To evaluate our idea, we include the proposed solution to a secure coding course for IT-oriented faculty. We let students choose to participate in a bug bounty programme as an option for the semester assignment in a secure coding course. We then collected responses from the students to evaluate the outcomes (improved skills, reported vulnerabilities, a better relationship with security, etc.). Evaluation of the assignment showed that students enjoyed solving such real-world problems, could find real vulnerabilities, and that it helped raise their skills and cybersecurity awareness. Participation in real bug bounty programmes also positively affects the security level of the tested products. We also discuss the potential risks of this approach and how to mitigate them.
secure coding is a mission that cannot be neglected as computing devices continue increasing. Every year, thousands of new software vulnerabilities are identified. Education is a crucial factor and a significant chall...
详细信息
ISBN:
(纸本)9781450371056
secure coding is a mission that cannot be neglected as computing devices continue increasing. Every year, thousands of new software vulnerabilities are identified. Education is a crucial factor and a significant challenge to counter cyber threats. But gaining insight into how people learn has always been challenging. There is a considerable need for improved methodologies with active hands-on educational techniques for programmers to learn practical strategies to mitigate software vulnerabilities;to protect private data;and ultimately to write secure code in the first place. To the best of our knowledge, this is the first usage of eye tracking technologies to understand secure coding practices and to improve education. We focused on exploring the ways that students comprehended and learned to develop secure software. We recorded their eye gaze movements while they studied our hands-on learning module and mitigated the weaknesses within the source code. Our study involved 29 students mitigating software vulnerabilities via manual analysis of the source code. The eye tracking data allows us to objectively study and gain insight in order to understand and improve students learning behavior. Our analysis indicates that there is a distinction in the learning phase for students that answered correctly compared to students that did not provide the correct mitigation strategy. Specifically, our research indicates the most effective and efficient way to learn secure coding is to fully understand coding errors before working on the source code. Our findings also suggest that we can use reading patterns to understand student behaviors in order to be capable of developing improved hands-on learning material.
The purpose of this paper is to introduce software security for online games at two levels: first at the programming level and second at the web service level. Increasingly game developers are providing their games on...
详细信息
ISBN:
(纸本)9789810854805
The purpose of this paper is to introduce software security for online games at two levels: first at the programming level and second at the web service level. Increasingly game developers are providing their games online, employing web services;however, security threats evolve with the use of web services in such applications which is a great challenge for game developers. The roadblock to providing secure game applications is the lack of understanding of secure coding concepts by game programmers. In this paper we propose the 5W1H re-documentation technique and the use of the Scrum agile software development methodology in a reengineering process to educate game programmers concerning secure coding concepts. The authors first prove how insecure coding can affect the gaming industry by introducing an example of an insecure game login application. Then the same login application is re-documented and reengineered with secure coding concepts. The reengineered application is then tested for security threats.
暂无评论