XSS for the Masses: Integrating Security in a Web Programming Course using a Security Scanner

• URL: http://arxiv.org/abs/2204.12416v1
• Date: Tue, 26 Apr 2022 16:20:36 GMT
• Title: XSS for the Masses: Integrating Security in a Web Programming Course using a Security Scanner
• Authors: Lwin Khin Shar, Christopher M. Poskitt, Kyong Jin Shim, Li Ying Leonard Wong
• Abstract summary: Cybersecurity education is an important part of undergraduate computing curricula. Many institutions teach it only in dedicated courses or tracks. An alternative approach is to integrate cybersecurity concepts across non-security courses.
• Score: 3.387494280613737
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Cybersecurity education is considered an important part of undergraduate computing curricula, but many institutions teach it only in dedicated courses or tracks. This optionality risks students graduating with limited exposure to secure coding practices that are expected in industry. An alternative approach is to integrate cybersecurity concepts across non-security courses, so as to expose students to the interplay between security and other sub-areas of computing. In this paper, we report on our experience of applying the security integration approach to an undergraduate web programming course. In particular, we added a practical introduction to secure coding, which highlighted the OWASP Top 10 vulnerabilities by example, and demonstrated how to identify them using out-of-the-box security scanner tools (e.g. ZAP). Furthermore, we incentivised students to utilise these tools in their own course projects by offering bonus marks. To assess the impact of this intervention, we scanned students' project code over the last three years, finding a reduction in the number of vulnerabilities. Finally, in focus groups and a survey, students shared that our intervention helped to raise awareness, but they also highlighted the importance of grading incentives and the need to teach security content earlier.

Related papers

• Rethinking the Vulnerabilities of Face Recognition Systems:From a Practical Perspective [53.24281798458074]
  Face Recognition Systems (FRS) have increasingly integrated into critical applications, including surveillance and user authentication. Recent studies have revealed vulnerabilities in FRS to adversarial (e.g., adversarial patch attacks) and backdoor attacks (e.g., training data poisoning)
  arXiv  Detail & Related papers  (2024-05-21T13:34:23Z)
• Using Real-world Bug Bounty Programs in Secure Coding Course: Experience Report [1.099532646524593]
  Training new cybersecurity professionals is a challenging task due to the broad scope of the area. We propose a solution: integrating a real-world bug bounty programme into cybersecurity curriculum. We let students choose to participate in a bug bounty programme as an option for the semester assignment in a secure coding course.
  arXiv  Detail & Related papers  (2024-04-18T09:53:49Z)
• Software Repositories and Machine Learning Research in Cyber Security [0.0]
  The integration of robust cyber security defenses has become essential across all phases of software development. Attempts have been made to leverage topic modeling and machine learning for the detection of these early-stage vulnerabilities in the software requirements process.
  arXiv  Detail & Related papers  (2023-11-01T17:46:07Z)
• Cybersecurity as a Crosscutting Concept Across an Undergrad Computer Science Curriculum: An Experience Report [1.6317061277457001]
  We advocate to integrate cybersecurity as a crosscutting concept in Computer Science curricula. The security education was incorporated within CS courses using a partnership between the responsible course instructor and a security expert. We conducted a post-course survey to collect student perceptions, and semi-supervised interviews with responsible course instructors and the security expert to gauge their experience.
  arXiv  Detail & Related papers  (2023-10-11T16:07:42Z)
• Teaching DevOps Security Education with Hands-on Labware: Automated Detection of Security Weakness in Python [4.280051038571455]
  We introduce hands-on learning modules that enable learners to be familiar with identifying known security weaknesses. To cultivate an engaging and motivating learning environment, our hands-on approach includes a pre-lab, hands-on and post lab sections.
  arXiv  Detail & Related papers  (2023-08-14T16:09:05Z)
• Want to Raise Cybersecurity Awareness? Start with Future IT Professionals [0.4893345190925178]
  Our university designed an innovative cybersecurity awareness course that is freely available online for students, employees, and the general public. The course offers simple, actionable steps that anyone can use to implement defensive countermeasures. To measure the course impact, we administered it to 138 computer science undergraduates within a compulsory information security and cryptography course.
  arXiv  Detail & Related papers  (2023-07-14T20:07:27Z)
• Graph Mining for Cybersecurity: A Survey [61.505995908021525]
  The explosive growth of cyber attacks nowadays, such as malware, spam, and intrusions, caused severe consequences on society. Traditional Machine Learning (ML) based methods are extensively used in detecting cyber threats, but they hardly model the correlations between real-world cyber entities. With the proliferation of graph mining techniques, many researchers investigated these techniques for capturing correlations between cyber entities and achieving high performance.
  arXiv  Detail & Related papers  (2023-04-02T08:43:03Z)
• Pre-trained Encoders in Self-Supervised Learning Improve Secure and Privacy-preserving Supervised Learning [63.45532264721498]
  Self-supervised learning is an emerging technique to pre-train encoders using unlabeled data. We perform first systematic, principled measurement study to understand whether and when a pretrained encoder can address the limitations of secure or privacy-preserving supervised learning algorithms.
  arXiv  Detail & Related papers  (2022-12-06T21:35:35Z)
• Learning Barrier Certificates: Towards Safe Reinforcement Learning with Zero Training-time Violations [64.39401322671803]
  This paper explores the possibility of safe RL algorithms with zero training-time safety violations. We propose an algorithm, Co-trained Barrier Certificate for Safe RL (CRABS), which iteratively learns barrier certificates, dynamics models, and policies.
  arXiv  Detail & Related papers  (2021-08-04T04:59:05Z)
• Dos and Don'ts of Machine Learning in Computer Security [74.1816306998445]
  Despite great potential, machine learning in security is prone to subtle pitfalls that undermine its performance. We identify common pitfalls in the design, implementation, and evaluation of learning-based security systems. We propose actionable recommendations to support researchers in avoiding or mitigating the pitfalls where possible.
  arXiv  Detail & Related papers  (2020-10-19T13:09:31Z)
• Adversarial Machine Learning Attacks and Defense Methods in the Cyber Security Domain [58.30296637276011]
  This paper summarizes the latest research on adversarial attacks against security solutions based on machine learning techniques. It is the first to discuss the unique challenges of implementing end-to-end adversarial attacks in the cyber security domain.
  arXiv  Detail & Related papers  (2020-07-05T18:22:40Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.