skip to main content

Title: Identifying Gaps in the Secure Programming Knowledge and Skills of Students
Often, security topics are only taught in advanced computer science (CS) courses. However, most US R1 universities do not require students to take these courses to complete an undergraduate CS degree. As a result, students can graduate without learning about computer security and secure programming practices. To gauge students’ knowledge and skills of secure programming, we conducted a coding interview with 21 students from two R1 universities in the United States. All the students in our study had at least taken Computer Systems or an equivalent course. We then analyzed the students’ approach to safe programming practices, such as avoiding unsafe functions like gets and strcpy, and basic security knowledge, such as writing code that assumes user inputs can be malicious. Our results suggest that students lack the key fundamental skills to write secure programs. For example, students rarely pay attention to details, such as compiler warnings, and often do not read programming language documentation with care. Moreover, some students’ understanding of memory layout is cursory, which is crucial for writing secure programs. We also found that some students are struggling with even the basics of C programming, even though it is the main language taught in Computer Systems courses.  more » « less
Award ID(s):
Author(s) / Creator(s):
; ; ; ;
Date Published:
Journal Name:
In Proceedings of the 53rd ACM Technical Symposium on Computer Science Education
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. Nowadays, cyberattack incidents are happening on a daily basis. As a result, the demand for a larger and more challenging workforce is increasing. To handle this demand, academic institutions offer cybersecurity courses and degree programs into their curricula; however, more efforts are needed to address the high demand of the cybersecurity workforce. This work aims to bridge the gap between workforce shortage and the number of qualified graduates to fill the positions. We approach this by introducing cybersecurity concepts at the early stage of undergraduate curricula of computer science and engineering programs. Secure programming is critical as many cybersecurity incidents happen due to software vulnerabilities. However, most UG-level programming courses pay little attention to secure programming practices. As a result, many students graduate with limited knowledge of security vulnerabilities that might plague the developed software. Our goal in this work is to introduce secure programming at introductory level programming courses so that students should be aware of cybersecurity issues and use this security mindset in advanced level courses and projects in their degree programs. To accomplish this goal, we developed intuitive and interactive modules emphasizing secure programming in C++ and Java courses to help students become secure software developers. These modules will be used alongside the coursework to emphasize certain vulnerabilities within the programming environment of a specific language and allow students to learn cybersecurity topics, enforcing a solid foundation and understanding. We developed cybersecurity educational modules for C++ and Java as they are amongst the popular languages and used in introductory programming courses. While designing these modules, we kept in mind that the topics must be relevant to real-world issues in the software industry. We used a variety of resources and benchmarks to ensure the authenticity of our chosen topics, including Common Weakness Enumeration (CWE) and Common Vulnerability and Exposures (CVE). While choosing module topics to develop, we had some restrictions. For example, the topics must be introductory and easy to understand. These modules are geared towards freshman or sophomore-level UG students who have just started programming. The developed security modules have four components: power-point slides, lab description, code template for the lab, and complete solution. The complete solution for each module will be provided to the instructors to check students’ work if they adopt the modules in their courses. The modules developed for a C++ programming course include labs on input validation, integer overflow, random number generation, function call with incorrect argument type, and dangling pointers. In Java, we developed lab modules for input validation, integer overflow, null object reference, random number generator, and data encapsulation. 
    more » « less
  2. Research efforts tried to expose students to security topics early in the undergraduate CS curriculum. However, such efforts are rarely adopted in practice and remain less effective when it comes to writing secure code. In our prior work, we identified key issues with the how students code and grouped them into six themes: (a) Knowledge of C, (b) Understanding compiler and OS messages, (c) Utilization of resources, (d) Knowledge of memory, (e) Awareness of unsafe functions, and (f) Understanding of security topics. In this work, we aim to understand students' knowledge about each theme and how that knowledge affects their secure coding practices. Thus, we propose a modified SOLO taxonomy for the latter five themes. We apply the taxonomy to the coding interview data of 21 students from two US R1 universities. Our results suggest that most students have limited knowledge of each theme. We also show that scoring low in these themes correlates with why students fail to write secure code and identify possible vulnerabilities. 
    more » « less
  3. With computing impacting most every professional field, it has become essential to provide pathways for students other than those majoring in computer science to acquire computing knowledge and skills. Virtually all employers and graduate and professional schools seek these skills in their employees or students, regardless of discipline. Academia currently leans towards approaches such as double majors or combined majors between computer science and other non-CS disciplines, commonly referred to as “CS+X” programs. These programs tend to require rigorous courses gleaned from the institutions’ courses for computer science majors. Thus, they may not meet the needs of majors in disciplines such as the social and biological sciences, humanities, and others. The University of Maryland, Baltimore County (UMBC) is taking an approach more suitably termed “X+CS” to fulfill the computing needs of non-CS majors. As part of a National Science Foundation (NSF) grant, we are developing a “computing” minor specifically to meet their needs. To date, we have piloted the first two of the minor’s approximately six courses. The first is a variation on the existing Computer Science I course required for majors but restricted to nonmajors. Both versions of the course use the Python language and cover the same programming content, but with the non-majors assigned projects with relevance to non-CS disciplines. We use the same student assessment measures of homework, projects, and examinations for both courses. After four semesters, results show that non-CS majors perform comparably to majors. Students also express increased interest in computing and satisfaction with being part of a non- CS major cohort. The second course was piloted in fall 2019. It is a new course intended to enhance and hone programming skills and introduce topics such as web scraping, HTML and CSS, web application development, data formats, and database use. Students again express increased interest in computing and were already beginning to apply the computing skills that they were learning to their non-CS courses. As a welcome side effect, we experienced a significant increase in the number of women and under-represented minorities (URMs) in these two courses when compared with CS-major specific courses. Overall, women comprised 52% of the population, with URMs following a similar upward trend. We are currently developing the third course in the computing minor and exploring options for the remaining three. Possibilities include electives from our Information Systems major. We will also be working with our science, social science, and humanities departments to utilize existing courses in those disciplines that apply computing. The student response that we have received thus far provides us with evidence that our computing minor will be popular among UMBC’s non-CS population, providing them with a more suitable and positive computing education than existing CS+X efforts. 
    more » « less
  4. Security is a critical aspect in the design, development, and testing of software systems. Due to the increasing need for security-related skills within software systems and engineering, there is a growing demand for these skills to be taught at the university level. A series of 41 security modules was developed to assess the impact of these modules on teaching critical cyber security topics to students. This paper presents the implementation and outcomes of the first set of six security modules in a Freshman level course. This set consists of five modules presented in lectures as well as a sixth module emphasizing encryption and decryption used as the semester project for the course. Each module is a collection of concepts related to cyber security. The individual cyber security concepts are presented with a general description of a security issue to avoid, sample code with the security issue written in the Java programming language, and a second version of the code with an effective solution. The set of these modules was implemented in Computer Science I during the Fall 2019 semester. Incorporating each of the concepts in these modules into lectures depends on both the topic covered and the approach to resolving the related security issue. Students were introduced to computing concepts related to both the security issue and the appropriate solution to fully grasp the overall concept. After presenting the materials to students, continual review with students is also essential. This reviewal process requires exploring use-cases for the programming mechanisms presented as solutions to the security issues discussed. In addition to the security modules presented in lectures, students were given a hands-on approach to understanding the concepts through Model-Eliciting Activities (MEAs). MEAs are open-ended, problem-solving activities in which groups of three to four students work to solve realistic complex problems in a classroom setting. The semester project related to encryption and decryption was implemented into the course as an MEA. To assess the effectiveness of incorporating security modules with the MEA project into the curriculum of Computer Science I, two sections of the course were used as a control group and a treatment group. The treatment group included the security modules in lectures and the MEA project while the control group did not. To measure the overall effectiveness of incorporating security modules with the MEA project, both the instructor’s effectiveness as well as the student’s attitudes and interest were measured. For instructors, the primary question to address was to what extent do instructors change their attitudes towards student learning and their teaching practices because of the implementation of cyber security modules through MEAs. For students, the primary question to address was how the inclusion of security modules with the MEA project improved their understanding of the course materials and their interests in computer science. After implementing security modules with the MEA project, students showed a better understanding of cyber security concepts and a greater interest in broader computer science concepts. The instructor’s beliefs about teaching, learning, and assessment shifted from teacher-centered to student-centered, during his experience with the security modules and MEA. 
    more » « less
  5. This paper is the culmination of four years of an NSF-funded project implementing and assessing an undergraduate additive manufacturing course at three large state universities: Texas Tech University, Kansas State University, and California State University – Northridge. The research questions addressed are: (1) What are the changes in skill and knowledge concerning additive manufacturing experienced by undergraduate students? (2) What is the effect of this course on attitudes towards engineering and self-efficacy in engineering for enrolled undergraduate students? The sample consists of four years of data from the undergraduate students enrolled in the course at all three universities (combined N = 196). Our method for data collection was matched-pair surveys that contained both (i) an assessment for content knowledge and (ii) an attitudinal assessment previously validated in published research for data collection about attitudes towards engineering. Matched-pair surveys means that we collected data from Student X at Time 1 (before being taught) and then again from at Time 2 (after being taught) and are able to directly compare any change in content knowledge or attitude within the same person. We also collected demographic information to be able to see whether changes in, for example, women differed from those in men. All undergraduates experienced statistically significant increases in content knowledge and additive manufacturing skills. In an intriguing finding, female students outperformed male students, which fits with the research that indicates that engineering courses which emphasize pragmatic and real-world applications, as well as those that use group work, will disproportionately help underserved engineering populations like women and people of color succeed. Fitting with the above finding, undergraduates noted that they perceived that they had increased in teamwork, communication, and computer programming skills. These gains were particularly high in female students and students of color. 
    more » « less