June 15, 2019
June 15, 2019
June 19, 2019
Computing and Information Technology
Students in introductory Computer Science (CS) courses are required to submit several programming assignments and/or projects. The submitted programs are largely assessed on their correctness to the given problem, and not against secure software coding practices. In our experience, student programs typically do not follow secure coding practices, making them susceptible to security problems. Given the general lack of strong emphasis on security concepts in introductory programming courses, students tend to neglect applying secure coding practices.
The goal of this “Work in Progress” is helping students to reduce vulnerabilities in their programs and eliminate coding errors. We will investigate how errors occur, how students interpret and correct these errors, develop metrics to measure how coding standards for security are used, and provide informative feedback and actionable guidelines to students and instructors. The analysis will emphasize security Knowledge Skills and Abilities (KSAs) identified within the National Initiative Cybersecurity Education (NICE) Framework . A list of secure coding practices was compiled using two different resources: SEI CERT Coding Standard  and Open Web Application Security Project (OWASP) . The selected coding practices are applicable to C++ and Java. Each secure coding practice is assigned a weight reflecting its importance and severity.
We consider a set of 43 students’ programming assignments in C++ and Java, with all of them being anonymized for Personally Identifiable Information. Each assignment typically has different coding practices that are relevant, which is a result of the difference in requirements among assignments. The problem description of each assignment is analyzed to determine the applicable secure coding practices to each submitted assignment. Our quantitative analysis gives a score out of five to each secure coding practice based on the extent it was implemented: zero implies a rule is not being addressed, while five implies a rule is implemented effectively. Any score between zero and five is based on varying degrees of effectiveness. Subsequently, rules that consistently did not score high for the programs will be given to instructors as a recommended focus in relevant CS courses.
We are currently working on collecting additional student assignments and projects from different courses in different levels, e.g., CS I, CS II, Data Structures, and Software Design Patterns. The quantitative/qualitative analysis of our study have the following key outcomes: 1) Assist instructors in identifying shortcomings of expected good programming practices and secure coding practices in student programs, lending to customized lessons for the introductory programming courses in CS; 2) Bring awareness of secure coding to students in the early stages in their learning process. Many security problems are related to the lack of awareness of possible threats and vulnerabilities; and, 3) Provide feedback to students on their own program solution in terms of its structure and design. This allows students to identify problems and vulnerabilities in their coding design, and rectify the same as they move along in the CS curriculum.
Al-Haj, S., & Seliya, N., & Kemner, C. L. (2019, June), Pedagogical Assessment of Secure Coding in Student Programs Paper presented at 2019 ASEE Annual Conference & Exposition , Tampa, Florida. 10.18260/1-2--33163
ASEE holds the copyright on this document. It may be read by the public free of charge. Authors may archive their work on personal websites or in institutional repositories with the following citation: © 2019 American Society for Engineering Education. Other scholars may excerpt or quote from these materials with the same citation. When excerpting or quoting from Conference Proceedings, authors should, in addition to noting the ASEE copyright, list all the original authors and their institutions and name the host city of the conference. - Last updated April 1, 2015