Nowadays, cyberattack incidents are happening on a daily basis. As a result, the demand for a larger and more challenging workforce is increasing. To handle this demand, academic institutions offer cybersecurity courses and degree programs into their curricula; however, more efforts are needed to address the high demand of the cybersecurity workforce. This work aims to bridge the gap between workforce shortage and the number of qualified graduates to fill the positions. We approach this by introducing cybersecurity concepts at the early stage of undergraduate curricula of computer science and engineering programs. Secure programming is critical as many cybersecurity incidents happen due to software vulnerabilities. However, most UG-level programming courses pay little attention to secure programming practices. As a result, many students graduate with limited knowledge of security vulnerabilities that might plague the developed software. Our goal in this work is to introduce secure programming at introductory level programming courses so that students should be aware of cybersecurity issues and use this security mindset in advanced level courses and projects in their degree programs. To accomplish this goal, we developed intuitive and interactive modules emphasizing secure programming in C++ and Java courses to help students become secure software developers. These modules will be used alongside the coursework to emphasize certain vulnerabilities within the programming environment of a specific language and allow students to learn cybersecurity topics, enforcing a solid foundation and understanding. We developed cybersecurity educational modules for C++ and Java as they are amongst the popular languages and used in introductory programming courses. While designing these modules, we kept in mind that the topics must be relevant to real-world issues in the software industry. We used a variety of resources and benchmarks to ensure the authenticity of our chosen topics, including Common Weakness Enumeration (CWE) and Common Vulnerability and Exposures (CVE). While choosing module topics to develop, we had some restrictions. For example, the topics must be introductory and easy to understand. These modules are geared towards freshman or sophomore-level UG students who have just started programming. The developed security modules have four components: power-point slides, lab description, code template for the lab, and complete solution. The complete solution for each module will be provided to the instructors to check students’ work if they adopt the modules in their courses. The modules developed for a C++ programming course include labs on input validation, integer overflow, random number generation, function call with incorrect argument type, and dangling pointers. In Java, we developed lab modules for input validation, integer overflow, null object reference, random number generator, and data encapsulation.
more »
« less
Inferring and securing software configurations using automated reasoning
Software configurability opens the door to misconfiguration vulnerabilities, invalid settings that expose software weaknesses. Misconfiguration is one the top ten most critical security risks and the most common. This paper envisions a world without misconfiguration vulnerabilities through the use of automated reasoning techniques to infer and secure software configurations. Real-world software, however, often lacks an explicit specification of secure configurations, relying on hand-validation by users. Real-world systems comprise many individual highly-configurable software components, making the space of possible configurations for the whole system enormous. To realize our vision and overcome these challenges, we aim to create a rigorous definition of configuration specifications, use formal methods to mechanize the inference and generation of valid configurations, and develop algorithms to automatically secure against misconfiguration.
more »
« less
- Award ID(s):
- 1941816
- NSF-PAR ID:
- 10222280
- Date Published:
- Journal Name:
- Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering
- Page Range / eLocation ID:
- 1517 to 1520
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
The majority of malicious mobile attacks take advantage of vulnerabilities in mobile applications, such as sensitive data leakage via inadvertent or side channel, unsecured sensitive data storage, data transmission, and many others. Most of these mobile vulnerabilities can be detected in the mobile software testing phase. However, most development teams often have virtually no time to address them due to critical project deadlines. To combat this, the more defect removal filters there are in the software development life cycle, the fewer defects that can lead to vulnerabilities will remain in the software product when it is released. As part of Secure Mobile Software Development (SMSD) project, we are currently developing capacity to address the lack of pedagogical materials and real world learning environment in secure mobile software development through effective, engaging, and investigative approaches. In this session, we provide details of a new implemented module named data protection. We also share our initial experience and feedback on the developed module.more » « less
-
As mobile computing is now becoming more and more popular, the security threats to mobile applications are also growing explosively. Mobile app flaws and security defects could open doors for hackers to break into them and access sensitive information. Most vulnerabilities should be addressed in the early stage of mobile software development. However, many software development professionals lack awareness of the importance of security vulnerability and the necessary security knowledge and skills at the development stage. The combination of the prevalence of mobile devices and the rapid growth of mobile threats has resulted in a shortage of secure software development professionals. Many schools offer mobile app development courses in computing curriculum; however, secure software development is not yet well represented in most schools' computing curriculum. This paper addresses the needs of authentic and active pedagogical learning materials for SSD and challenges of building Secure Software Development (SSD) capacity through effective, engaging, and investigative approaches. In this paper, we present an innovative authentic and active SSD learning approach through a collection of transferrable learning modules with hands-on companion labs based on the Open Web Application Security Project (OWASP) recommendations. The preliminary feedback from students is positive. Students have gained hands-on real world SSD learning experiences with Android mobile platform and also greatly promoted self-efficacy and confidence in their mobile SSD learning.more » « less
-
As mobile computing is now becoming more and more popular, the security threats to mobile applications are also growing explosively. Mobile app flaws and security defects could open doors for hackers to break into them and access sensitive information. Most vulnerabilities should be addressed in the early stage of mobile software development. However, many software development professionals lack awareness of the importance of security vulnerability and the necessary security knowledge and skills at the development stage. The combination of the prevalence of mobile devices and the rapid growth of mobile threats has resulted in a shortage of secure software development professionals. Many schools offer mobile app development courses in computing curriculum; however, secure software development is not yet well represented in most schools' computing curriculum. This paper addresses the needs of authentic and active pedagogical learning materials for SSD and challenges of building Secure Software Development (SSD) capacity through effective, engaging, and investigative approaches. In this paper, we present an innovative authentic and active SSD learning approach through a collection of transferrable learning modules with hands-on companion labs based on the Open Web Application Security Project (OWASP) recommendations. The preliminary feedback from students is positive. Students have gained hands-on real world SSD learning experiences with Android mobile platform and also greatly promoted self-efficacy and confidence in their mobile SSD learning.more » « less
-
null (Ed.)Large-scale cloud services deploy hundreds of configuration changes to production systems daily. At such velocity, con- figuration changes have inevitably become prevalent causes of production failures. Existing misconfiguration detection and configuration validation techniques only check configu- ration values. These techniques cannot detect common types of failure-inducing configuration changes, such as those that cause code to fail or those that violate hidden constraints. We present ctests, a new type of tests for detecting failure- inducing configuration changes to prevent production failures. The idea behind ctests is simple—connecting production sys- tem configurations to software tests so that configuration changes can be tested in the context of code affected by the changes. So, ctests can detect configuration changes that ex- pose dormant software bugs and diverse misconfigurations. We show how to generate ctests by transforming the many existing tests in mature systems. The key challenge that we address is the automated identification of test logic and oracles that can be reused in ctests. We generated thousands of ctests from the existing tests in five cloud systems. Our results show that ctests are effective in detecting failure-inducing configuration changes before deployment. We evaluate ctests on real-world failure-inducing configura- tion changes, injected misconfigurations, and deployed con- figuration files from public Docker images. Ctests effectively detect real-world failure-inducing configuration changes and misconfigurations in the deployed files.more » « less
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Conference Paper:
- https://doi.org/10.1145/3368089.3417041
