Abstract
Understanding why developers continue to misuse security tools is critical to designing safer software, yet the underlying reasons developers fail to write secure code are not well understood. In order to better understand how to teach these skills, we conducted two comparatively large-scale usability studies with undergraduate CS students to assess factors that affect success rates in securing web applications against cross-site request forgery (CSRF) attacks. First, we examined the impact of providing students with example code and/or a testing tool. Next, we examined the impact of working in pairs. We found that access to relevant secure code samples gave significant benefit to security outcomes. However, access to the tool alone had no significant effect on security outcomes, and surprisingly, the same held true for the tool and example code combined. These results confirm the importance of quality example code and demonstrate the potential danger of using security tools in the classroom that have not been validated for usability. No individual differences predicted one’s ability to complete the task. We also found that working in pairs had a significant positive effect on security outcomes. These results provide useful directions for teaching computer security programming skills to undergraduate students.
Highlights
Despite a growing emphasis among security experts on secure coding practices, software developers continue to regularly misuse or misunderstand secure coding tools
In study 1 we examined the impacts of example code and International Journal of Computer Science Education in Schools, April 2021, Vol 5, No 2 ISSN 2513-8359 a cross-site request forgery (CSRF) detection tool on a student’s ability to repair CSRF vulnerabilities in a test server
In study 1, we examined the impact of providing students with particular resources during the assignment: a fuzz-testing tool and/or example code
Summary
Despite a growing emphasis among security experts on secure coding practices, software developers continue to regularly misuse or misunderstand secure coding tools. Understanding how to best train students in good security coding practices is critical to designing safer software. Recent efforts within the area of usable security research have attempted to enumerate causes for developer error leading to security vulnerabilities in software. Our work builds on previous studies by trying to understand how to better instruct undergraduate computer science students in the art of security programming, examining the impact of using code samples, software tools, and group programming in the classroom. In study 1 we examined the impacts of example code and International Journal of Computer Science Education in Schools, April 2021, Vol 5, No 2 ISSN 2513-8359 a CSRF detection tool on a student’s ability to repair CSRF vulnerabilities in a test server. In study 2, we examined the effects of the students working alone vs. working in pairs
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have