The Integration of Secure Programming Education into the IDE

Similar documents
PowerScheduler Load Process User Guide. PowerSchool Student Information System

Using MyMathLab. Features

Memo. Open Source Development and Documentation Project English 420. instructor name taken out students names taken out OSDDP Proposal.

Research Findings on the Transition to Algebra series

Developmental Education Pilot Report Southeastern Louisiana University Submitted January 2015

PERSONAL LEARNING PLAN- STUDENT GUIDE

Evaluating Training. Debra Wilcox Johnson Johnson & Johnson Consulting

Using Web-based Tools to Enhance Student Learning and Practice in Data Structures Course

Redesigned College Algebra. Southeast Missouri State University Ann Schnurbusch

Using Visual Logic with Pseudocode to Teach an Introductory Programming Course

Written Example for Research Question: How is caffeine consumption associated with memory?

Teaching Hybrid Principles Of Finance To Undergraduate Business Students Can It Work? Denise Letterman, Robert Morris University

CS 2112 Spring Instructions. Assignment 3 Data Structures and Web Filtering. 0.1 Grading. 0.2 Partners. 0.3 Restrictions

Letter from the Editor-in-Chief: What Makes an Excellent Professor?

Department of Management Information Systems Terry College of Business The University of Georgia. Major Assessment Plan (As of June 1, 2003)

Get Ready for IELTS Writing. About Get Ready for IELTS Writing. Part 1: Language development. Part 2: Skills development. Part 3: Exam practice

BUILDING A BETTER MATH TUTOR SYSTEM WITH TABLET TECHNOLOGY

COS Course Assessment Student Responses

OBJECTS-FIRST VS. STRUCTURES-FIRST APPROACHES TO OO PROGRAMMING EDUCATION: AN EMPIRICAL STUDY

Objectives Method Instrument Sample

BENEFITS OF ADWORDS. Take advantage of searches. Allows potential clients to find you on Google. Only pay when someone clicks on the ad

ENVS 101: Introduction to Environmental Science Learning Outcomes Assessment Project Executive Summary

Intermediate & College Algebra Course Redesign Final Report. College Algebra - Replacement Model

DEPARTMENT OF PSYCHOLOGY RESEARCH PARTICIPATION POLICIES AND PROCEDURES

A Comparison of Student Learning Outcomes in Traditional and Online Personal Finance Courses

LAB 6: Code Generation with Visual Paradigm for UML and JDBC Integration

International Baccalaureate (IB) Programme Update

Aurora University Master s Degree in Teacher Leadership Program for Life Science. A Summary Evaluation of Year Two. Prepared by Carolyn Kerkla

Maple T.A. Beginner's Guide for Instructors

Study of Concept of Virtual Learning Centers to Enhance Student Learning and Performance in Civil Engineering.

MGSC 590 Information Systems Development Course Syllabus for Spring 2008

Aim To help students prepare for the Academic Reading component of the IELTS exam.

1 Download & Installation Usernames and... Passwords

An Introduction to. Metrics. used during. Software Development

Spring 2013 Structured Learning Assistance (SLA) Program Evaluation Results

Improving student outcomes in Criminal Justice

Editors Comparison (NetBeans IDE, Eclipse, IntelliJ IDEA)

KTS Data Exchange Course Setup

CSE 530A Database Management Systems. Introduction. Washington University Fall 2013

Evaluation: Designs and Approaches

Active Directory Integration for Greentree

Math: Study Skills, Note Taking Skills, And Test Taking Strategies

EM L18 Managing ios and Android Mobile Devices with Symantec Mobile Management Hands-On Lab

Assessment for Master s Degree Program Fall Spring 2011 Computer Science Dept. Texas A&M University - Commerce

WHERE ARE WE NOW?: A REPORT ON THE EFFECTIVENESS OF USING AN ONLINE LEARNING SYSTEM TO ENHANCE A DEVELOPMENTAL MATHEMATICS COURSE.

Computer Science CS 2334: Programming structures and abstractions

Running Head: COMPARISON OF ONLINE STUDENTS TO TRADITIONAL 1. The Comparison of Online Students Education to the

Online Education Disadvantages. Many students can learn with the music on or searching things on the web others cannot,

Abstract The purpose of this paper is to present the results of my action research which was conducted in several 7 th /8 th grade language arts

EM L05 Managing ios and Android Mobile Devices with Symantec Mobile Management Hands-On Lab

Developing And Marketing Mobile Applications. Presented by: Leesha Roberts, Senior Instructor, Center for Education Programmes, UTT

Mobile App Design Project #1 Java Boot Camp: Design Model for Chutes and Ladders Board Game

Testing, Debugging, and Verification

Perceptive Intelligent Capture Solution Configration Manager

A PRELIMINARY COMPARISON OF STUDENT LEARNING IN THE ONLINE VS THE TRADITIONAL INSTRUCTIONAL ENVIRONMENT

The University of Akron Department of Mathematics. 3450: COLLEGE ALGEBRA 4 credits Spring 2015

CSE 326, Data Structures. Sample Final Exam. Problem Max Points Score 1 14 (2x7) 2 18 (3x6) Total 92.

Final Exam Performance. 50 OLI Accel Trad Control Trad All. Figure 1. Final exam performance of accelerated OLI-Statistics compared to traditional

Contents. 1 Introduction. CS 15 Collaboration Policy Fall Introduction Motivation Enforcement... 2

Printed textbooks versus E-text: Comparing the old school convention with new school innovation

CHAPTER 5 INTELLIGENT TECHNIQUES TO PREVENT SQL INJECTION ATTACKS

Abstract Title: Identifying and measuring factors related to student learning: the promise and pitfalls of teacher instructional logs

PSYC 502 Applied Behavior Analysis Summer Course Description

COURSE INVENTORY MANAGEMENT (CIM)

Mathematics Placement And Student Success: The Transition From High School To College Mathematics

Lab 4.4 Secret Messages: Indexing, Arrays, and Iteration

AC : A STUDY OF TRADITIONAL UNDERGRADUATE STU- DENT ENGAGEMENT IN BLACKBOARD LEARNING MANAGEMENT SYSTEM

Title: Transforming a traditional lecture-based course to online and hybrid models of learning

Introduction to Java Programming ITP 109 (2 Units) Fall 2015

Migrating Trend Micro Mobile Security for Enterprise (TMMS) 8.0 to TMMS 9.0 Patch 1

T r i t o n C o l l e g e Assessment Planning and Reporting Tool ACADEMIC PROGRAMS

Q1 How do you prefer to access your online classes? Check all that apply. 18% 53% 17% 12%

Reporting Student Progress and Achievement

Mobile App Development: How to Create a Useful App

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Avsoft, Inc. LEARNING MANAGEMENT SYSTEM ORGANIZATION MANAGER MANUAL

Can SAS Enterprise Guide do all of that, with no programming required? Yes, it can.

What Works Clearinghouse

Teacher Questionnaire

Yaowalak Jitlakoat Faculty of Nursing Science, Assumption University Bangkok, Thailand

In an experimental study there are two types of variables: Independent variable (I will abbreviate this as the IV)

American Journal Of Business Education July/August 2012 Volume 5, Number 4

International Undergraduates Classroom Experiences

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Incorporation of an online tutoring tool into programming courses. Abstract

Agenda. Background Beta programs Product reviews Resources Q&A 3/7/09. Two Critical Components of a Successful Product Launch

INF 111 / CSE 121. Homework 4: Subversion Due Tuesday, July 14, 2009

Transcription:

The Integration of Secure Programming Education into the IDE Bill Chu Heather Lipford Department of Software and Information Systems University of North Carolina at Charlotte 02/15/13 1

Motivation Software vulnerabilities are a major contributor to information security problems Many vulnerabilities can be avoided by adhering to secure programming practices, such as input validation/sanitization Example: SQL injection Discovered a long time ago Easily preventable (e.g. using prepared SQL statements) Yet it is still a problem for about 7% of enterprise web applications We are not doing enough for secure programming education 02/15/13 2

Challenges Most CS courses do not talk about secure programming Courses focus on subject matters (e.g. OS, Database, AI) Not enough time for all primary topics Difficulties of providing a secure programming course May be elective, and thus reach only a subset of computing students There may not be room in the degree program Students may not take them until they are juniors or seniors, and thus may have learned bad secure programming habits without being aware 02/15/13 3

Our Approach To provide training in, and support for, good secure programming practices as part of the tools that students use to program throughout all courses Serves as a continuous educational opportunity that adds to or reinforces the students secure programming training while they are performing their coding activities. 02/15/13 4

Integrative Learning Theory Our brains connect stored information based on use patterns. Stronger connections make it easier to recall and apply information. When the learning process facilitates these connections, students learn more effectively.

ESIDE Demo ESIDE stands for Education Security in Integrated Development Environment Based on Eclipse Java Development Tooling (JDT) https://www.youtube.com/watch?v=vjzlpccmjtm Major features Instant security warnings (e.g. input validation/output encoding/dynamic SQL statements) Code generation Interactive annotation Explanations webpages 02/15/13 6

Instructional Page

Instructional Page 2

Seven Mixed Method Studies Advanced Student Studies UNCC NBAD Assignment Deployment UNCC NBAD Semester Deployment Intermediate Student Study Elon CS2 Classroom Activity Early Student Studies Elon CS1 Classroom Activity JCSU CS1 Focus Group JCSU CS1 Interactive Walkthrough / Interview Elon CS1 Points Incentive on 10 Day Assignment

ESIDE Research Questions RQ1 - Can ESIDE positively influence a student's secure coding mindset? RQ2 - Can ESIDE motivate and incentivize students to learn about secure programming (vulnerabilities, coding, etc)? RQ3 - Can ESIDE motivate and incentivize students to implement secure programming practices?

Advanced Students Study I Students enrolled in a web-programming course 20 students with no prior secure programming training Worked on their programming assignments in the lab using Eclipse/Java for 3 hours Two students in the lab at same time, based on their sign ups Students are at different stages of project implementation Study setup Screen recording & ESIDE logs Pre- and post-tests On secure programming knowledge Two exams each with 18 true/false questions Counterbalanced Semi-structured interview Perceptions about warnings, explanations pages Actions they took with ESIDE What they learned 11

Sample Test questions (Choose ALL that apply) For the following statements, which of the declared variables will require subsequent validation? Integer time = System.getTime(); String title = request.getparameter( Title ); String message = in.readline(); (in is an instance of BufferedReader) Boolean complete = myorder.checkcomplete(orderdata); (Choose ALL that apply) Which of the following statements may be subject to SQL injection? String sql = "SELECT composer, date FROM symphony WHERE conductor =?"; prest = con.preparestatement(sql); prest.setstring(1,request.getparameter( conductor )); ResultSet rs1 = prest.executequery(); statement.executeupdate ( UPDATE users SET item= + user.getitem() + ); 02/15/13 12

User Study Results 20 participants 12 male Master s students, 6 female Master s students and 2 male undergraduate students 4 reported they know a few but very limited security concepts None of them had secure programming experience before the study Test scores Student behavior observations Student perception interviews 13

Test Results Analysis 10.3 increased in average scores after using ESIDE Average pre-test score: 53.03 Average post-test score: 63.33 The differences between pre- and post test scores are statistically significant Wilcoxon Signed Ranks Test on raw test scores t (Z = -2.931, P = 0.003) Mean Std. Deviation Min Max Pre- test percentage Post- test percentage 53.03% 12.81 33.33% 83.33% 63.33% 10.86 44.44% 77.78% 02/15/13 14

Student Behavior 461 distinctive warnings generated overall 70% clicked (321/461) 47% resolved (217/461) 02/15/13 15

Advanced Student Study II Same population of students as Advanced Student Study I Observed 64 students use ESIDE over the course of a semester 02/15/13 (c) Jun Zhu All rights reserved February 2013 16

Interaction Findings Interaction / Impression [p 86] it wasn't too disruptive or in the way [p183] easy to use just had to click in one spot [p190] the popups are great and super helpful Usage Study Length (days) Avg Days ESIDE Ran Interaction avg per day Interacted 1 Interacted >10 NBAD F12 10 3.57 1-7 range NBAD Sp13 95 5.56 1-34 range 7.3 6 6 <1 32 9

Advanced Findings RQ1- Can ESIDE positively influence a student's secure coding mindset? [p 9] I started to be able to predict when the icon would flag my code before I even wrote it [p10] I hadn t realized my code was insecure [p11] I found it helpful and enlightening to see points of insecurity in my code [p190] the explanations helped me understand why certain code practices are dangerous

Advanced Findings RQ2 - Can ESIDE motivate and incentivize students to learn about secure programming? [p 26] the explanations helped me learn about dangerous code practices [p189] I learned why my code was unsafe Pre (SD) Post (SD) Change NBAD F12 (n8) 60.4 (16.8) 65.4 (13.5) 5.0 ran 4 days (n4) 54.4 (19.2) 69.1 (18.3) 14.7* ran < 4 days (n4) 66.4 (13.9) 61.8 ( 7.4) -4.63 NBAD Sp13 (n18) 30.6 (25.1) 38.9 (23.5) 8.3 ran 5 days (n9) 27.8 (26.8) 43.3 (30.0) 15.5* ran < 5 days (n9) 33.3 (24.5) 34.4 (15.1) 1.1

Advanced Findings RQ3 - Can ESIDE motivate and incentivize students to implement secure programming practices? [p50] I was always concerned about getting the project done and not necessarily the quality (in regards to security) of the finished product [p11] I did not use ESIDE to correct insecurities as that was not my primary concern [p16] I have not had a chance to work with ESIDE because my main focus was getting [the] project done with full functionality before the due date Assignments Reviewed auto-gen secure code Secure code in homework NBAD F12 8 5 2 NBAD Sp13 256 4 0

Advanced Themes Functionality Mindset Timing Students do learn secure programming from ESIDE

Early / Intermediate Overview School / Class Date Level Participants Female / Male Study Type Elon CS1 F12 early 61 25 / 36 Classroom Activity Elon CS2 Sp13 intermediate 22 9 /13 Classroom Activity JCSU CS1 Sp13 early 5 1 / 4 Focus Group JCSU CS1 F13 early 4 1 / 3 Walkthrough Elon CS1 F13 early 57 17 / 40 Assignment

Study #1: Early: Elon CS1 Goal: Explore receptiveness to ESIDE support, assess support level alignment to student knowledge and abilities, obtain student perceptions of ESIDE interaction Study: Single lab setting, three sections, 61 participants (25F / 36M). Students wrote a program that accepted a username and averaged grades. Data: Pre/post surveys, assignment code, interaction logs, instructional page visits, group interaction notes, informal interviews, open ended survey questions. Quick Findings: Appreciated ESIDE, code modification willingness, course content confusion, encouraged to ignore Eclipse warnings [p56] Eclipse pop-up windows are always kind of vague.

Study #4: Early: Elon CS1 Goal: Examine the influence of a 5% points incentive has on coding behavior and knowledge gain and explore the receptiveness and appropriateness of the ESIDE support. Study: Assignment study with 57 (17F/40M) students from 3 sections. Students completed a review assignment focused on array manipulation with simple i/o data acquisition. Data: Pre/post surveys, assignment code, interaction logs, informal interviews, open ended survey questions. Quick Findings: Students un-expectantly struggled with the assignment, 34/43 completed the assignment, those with no incentive interacted at a lower rater than those with an incentive.

Study #5: Intermediate: Elon CS2 Goal: Assess how well ESIDE s materials and evaluation survey aligned with intermediate student knowledge and obtain intermediate student impressions of their ESIDE interaction. Study: Single lab setting, one section, 22 (9F/13M) participants. Students worked on an app which took a name from a user, checked it against a female list and a male list (as found in a separate file), then return the number of occurrences. Data: Post-survey, interaction logs, ethnographic notes. Quick Findings: Two learning topic difficulty e.g., course instruction vs. ESIDE instruction (Directories - Path Traversal).

Early / Intermediate Findings RQ1- Can ESIDE positively influence a student's secure coding mindset? [p 54] it allowed me to be aware of security risks [p 93] It helped me to learn more about how to make better, more secure code [p134] it shows me that though my code will run with proper user inputs, its still vulnerable [p137] showed me what exactly insecure code was [p124] I believe it gave some good information about something I did not know about [p103] as a beginning programmer it was nice for me to learn more about this for future programs

Early / Intermediate Findings RQ2 - Can ESIDE motivate and incentivize students to learn about secure programming? [p 99] taught me a little about code security [p134] I wish I had more practice using ESIDE I only had a week [p124] it gave some good information about something I did not know about [p117] the help page taught me things about secure code that I didn't know before Section 1: Points: V2 Section 2: No Points: V1 Section 3: No points: V2 (exam) n pre Pre SD post Post SD Gain 11 62.8% 9.05 73.6% 6.1 10.7%* 15 69.5% 14.42 71.4% 13.68 1.9% 9 67.7% 9.69 78.8% 4.3 11.1%* *Significant at the p <0.05 level. Note small sample size

Early / Intermediate Findings RQ3 - Can ESIDE motivate and incentivize students to implement secure programming practices? [p134] I was too focused on getting the assignment done [p143] I was more focused on getting my program to run correctly [p 90] for a class assignment I am not worried about the security of my code [p 89] this was a CSC130 homework assignment - I wasn't concerned about security CS1 Assignment Study Assignments collected Complete assignments Wrote secure code Section 1: Points 16 14 11 Section 2: No Points 14 11 2 Section 3: No points (exam) 12 09 0

Early / Intermediate Themes Timing Preparedness Functional Mindset Motivation / Incentives Institutional Variation

Conclusion ESIDE s approach can improve student s awareness of security programming ESIDE may need to be customized for students at different stages of learning Incentives from instructors is important 30

Current/future work Redesign ESIDE taking into account of our research results Focus initially on advanced students Web application Mobile application More research on strategies of using ESIDE for early and intermediate students is needed 31

Thank You! Acknowledgement NSF Grants 1318854, 1129190, and1523041 Your input https://www.owasp.org/index.php/owasp_aside_project#tab=main Search key words: OWASP ASIDE 32

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information