skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: Can We use Authentic Learning to Educate Students about Secure Infrastructure as Code Development?
Despite yielding benefits for organizations, infrastructure as code (IaC) scripts are susceptible to security weaknesses, such as hard-coded passwords. Existence of such security weaknesses necessitate integration of education materials related to secure development of IaC scripts. In this preliminary work, we describe our experiences of how application of authentic learning helped students learn about secure development of IaC scripts. Our paper shows education materials based on authentic learning to help students learn about secure IaC development.  more » « less
Award ID(s):
2026869
PAR ID:
10343041
Author(s) / Creator(s):
; ; ;
Date Published:
Journal Name:
27th ACM Conference on on Innovation and Technology in Computer Science Education (ITiCSE '22)
Page Range / eLocation ID:
631 to 631
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; (, 2021 IEEE Secure Development Conference (SecDev))
    Despite being beneficial in automated provisioning of computing infrastructure at scale, infrastructure as code (IaC) scripts are susceptible to containing secrets, such as hard-coded passwords. A derivation of practices related to secret management for IaC can help practitioners to secure their secrets, potentially aiding them to securely develop IaC scripts. The goal of the paper is to help practitioners in secure development of infrastructure as code (IaC) scripts by identifying practices for secret management in IaC. We conduct a grey literature review with 38 Internet artifacts to identify 12 practices. We identify practices that are applicable for all IaC languages, e.g., prioritized encryption, as well as language-specific practices, such as state separation for Terraform. Our findings can be beneficial for (i) practitioners who can apply the identified practices to secure secrets in IaC development, and (ii) researchers who can investigate how the secret management process can be improved to facilitate secure development of IaC scripts. 
    more » « less
  2. ; (, 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER))
    Infrastructure as Code (IaC) scripts, such as Puppet scripts, provide practitioners the opportunity to provision computing infrastructure automatically at scale. Poorly written IaC scripts impact various facets of quality (such as security and maintainability) and, in turn, may lead to serious consequences. Many of the ill-effects can be avoided or rectified easily by following recommendations derived from research and best practices gleaned from experience. While researchers have investigated methods to improve quality aspects of Puppet scripts, such research needs to be summarized and synthesized for industry practitioners. In this article, we summarize recent research in the IaC domain by discussing key quality issues, specifically security and maintainability smells, that may arise in an IaC script. We also mine open-source repositories from three organizations (Mozilla, Openstack, and Wikimedia) and report our observations on the identified smells. Furthermore, we also synthesize recommendations from the literature for software practitioners that could improve the quality of IaC scripts. Software development teams dealing with large computing infrastructure can get benefited from the actionable recommended practices. In addition, researchers in the domain may use this study to find opportunities to improve the state-of-the-art. 
    more » « less
  3. ; ; (, IEEE)
    This research-to-practice paper reports students' perceptions on using a teaching framework called authentic learning to learn about information flow analysis. Using information flow analysis, practitioners find the flow of data across one or multiple programs. Information flow analysis is helpful for multiple software engineering activities, such as detecting software bugs and developing software fuzzing techniques. Despite being helpful in practice, learning about information flow analysis remains an impediment for students, which in turn prevents them from reaping the benefits of using information flow analysis. Therefore, an application of a teaching framework can aid students in learning about information flow analysis. To that end, we systematically investigate if authentic learning---a teaching framework that emphasizes on providing hands on experience for a practically relevant topic---is helpful for students to learn about information flow analysis. Upon conducting the exercise, students are asked to participate in a survey where they report perceptions about the conducted exercise. We analyze data from 170 students who were introduced to information flow analysis through an authentic learning-based exercise. From our analysis, we observe: (i) majority of the students to have little to no knowledge about information flow analysis prior to conducting the authentic learning-based exercise; (ii) 74.1\% of the 170 students find the authentic learning-based exercise helpful to learn about information flow analysis; and (iii) student perceptions to vary for the three components of the authentic learning-based exercise. We conclude our paper by describing the implications of our findings for instructors and researchers. For example, instructors should consider the education level of students while designing activities for individual authentic learning components to educate students on information flow analysis. Furthermore, researchers can devise strategies on how instructors can allocate their efforts for each authentic learning component through empirical studies. These studies may investigate the correlation between reported helpfulness and socio-technical factors, such as education level of students. 
    more » « less
  4. ; ; ; ; ; (, IEEE Frontiers in Education (FIE) Conference)
    As mobile computing is now becoming more and more popular, the security threats to mobile applications are also growing explosively. Mobile app flaws and security defects could open doors for hackers to break into them and access sensitive information. Most vulnerabilities should be addressed in the early stage of mobile software development. However, many software development professionals lack awareness of the importance of security vulnerability and the necessary security knowledge and skills at the development stage. The combination of the prevalence of mobile devices and the rapid growth of mobile threats has resulted in a shortage of secure software development professionals. Many schools offer mobile app development courses in computing curriculum; however, secure software development is not yet well represented in most schools' computing curriculum. This paper addresses the needs of authentic and active pedagogical learning materials for SSD and challenges of building Secure Software Development (SSD) capacity through effective, engaging, and investigative approaches. In this paper, we present an innovative authentic and active SSD learning approach through a collection of transferrable learning modules with hands-on companion labs based on the Open Web Application Security Project (OWASP) recommendations. The preliminary feedback from students is positive. Students have gained hands-on real world SSD learning experiences with Android mobile platform and also greatly promoted self-efficacy and confidence in their mobile SSD learning. 
    more » « less
  5. ; ; ; ; ; (, 2018 IEEE Frontiers in Education Conference (FIE))
    As mobile computing is now becoming more and more popular, the security threats to mobile applications are also growing explosively. Mobile app flaws and security defects could open doors for hackers to break into them and access sensitive information. Most vulnerabilities should be addressed in the early stage of mobile software development. However, many software development professionals lack awareness of the importance of security vulnerability and the necessary security knowledge and skills at the development stage. The combination of the prevalence of mobile devices and the rapid growth of mobile threats has resulted in a shortage of secure software development professionals. Many schools offer mobile app development courses in computing curriculum; however, secure software development is not yet well represented in most schools' computing curriculum. This paper addresses the needs of authentic and active pedagogical learning materials for SSD and challenges of building Secure Software Development (SSD) capacity through effective, engaging, and investigative approaches. In this paper, we present an innovative authentic and active SSD learning approach through a collection of transferrable learning modules with hands-on companion labs based on the Open Web Application Security Project (OWASP) recommendations. The preliminary feedback from students is positive. Students have gained hands-on real world SSD learning experiences with Android mobile platform and also greatly promoted self-efficacy and confidence in their mobile SSD learning. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email