Using Real-world Bug Bounty Programs in Secure Coding Course: Experience Report
- URL: http://arxiv.org/abs/2404.12043v1
- Date: Thu, 18 Apr 2024 09:53:49 GMT
- Title: Using Real-world Bug Bounty Programs in Secure Coding Course: Experience Report
- Authors: Kamil Malinka, Anton Firc, Pavel Loutocký, Jakub Vostoupal, Andrej Krištofík, František Kasl,
- Abstract summary: Training new cybersecurity professionals is a challenging task due to the broad scope of the area.
We propose a solution: integrating a real-world bug bounty programme into cybersecurity curriculum.
We let students choose to participate in a bug bounty programme as an option for the semester assignment in a secure coding course.
- Score: 1.099532646524593
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: To keep up with the growing number of cyber-attacks and associated threats, there is an ever-increasing demand for cybersecurity professionals and new methods and technologies. Training new cybersecurity professionals is a challenging task due to the broad scope of the area. One particular field where there is a shortage of experts is Ethical Hacking. Due to its complexity, it often faces educational constraints. Recognizing these challenges, we propose a solution: integrating a real-world bug bounty programme into cybersecurity curriculum. This innovative approach aims to fill the gap in practical cybersecurity education and also brings additional positive benefits. To evaluate our idea, we include the proposed solution to a secure coding course for IT-oriented faculty. We let students choose to participate in a bug bounty programme as an option for the semester assignment in a secure coding course. We then collected responses from the students to evaluate the outcomes (improved skills, reported vulnerabilities, a better relationship with security, etc.). Evaluation of the assignment showed that students enjoyed solving such real-world problems, could find real vulnerabilities, and that it helped raise their skills and cybersecurity awareness. Participation in real bug bounty programmes also positively affects the security level of the tested products. We also discuss the potential risks of this approach and how to mitigate them.
Related papers
- Attack Atlas: A Practitioner's Perspective on Challenges and Pitfalls in Red Teaming GenAI [52.138044013005]
generative AI, particularly large language models (LLMs), become increasingly integrated into production applications.
New attack surfaces and vulnerabilities emerge and put a focus on adversarial threats in natural language and multi-modal systems.
Red-teaming has gained importance in proactively identifying weaknesses in these systems, while blue-teaming works to protect against such adversarial attacks.
This work aims to bridge the gap between academic insights and practical security measures for the protection of generative AI systems.
arXiv Detail & Related papers (2024-09-23T10:18:10Z) - Rethinking the Vulnerabilities of Face Recognition Systems:From a Practical Perspective [53.24281798458074]
Face Recognition Systems (FRS) have increasingly integrated into critical applications, including surveillance and user authentication.
Recent studies have revealed vulnerabilities in FRS to adversarial (e.g., adversarial patch attacks) and backdoor attacks (e.g., training data poisoning)
arXiv Detail & Related papers (2024-05-21T13:34:23Z) - Practical Cybersecurity Ethics: Mapping CyBOK to Ethical Concerns [13.075370397377078]
We use ongoing work on the Cyber Security Body of Knowledge (CyBOK) to help elicit and document the responsibilities and ethics of the profession.
Based on a literature review of the ethics of cybersecurity, we use CyBOK to frame the exploration of ethical challenges in the cybersecurity profession.
Our findings indicate that there are broad ethical challenges across the whole of cybersecurity, but also that different areas of cybersecurity can face specific ethical considerations.
arXiv Detail & Related papers (2023-11-16T19:44:03Z) - Teaching DevOps Security Education with Hands-on Labware: Automated Detection of Security Weakness in Python [4.280051038571455]
We introduce hands-on learning modules that enable learners to be familiar with identifying known security weaknesses.
To cultivate an engaging and motivating learning environment, our hands-on approach includes a pre-lab, hands-on and post lab sections.
arXiv Detail & Related papers (2023-08-14T16:09:05Z) - Want to Raise Cybersecurity Awareness? Start with Future IT
Professionals [0.4893345190925178]
Our university designed an innovative cybersecurity awareness course that is freely available online for students, employees, and the general public.
The course offers simple, actionable steps that anyone can use to implement defensive countermeasures.
To measure the course impact, we administered it to 138 computer science undergraduates within a compulsory information security and cryptography course.
arXiv Detail & Related papers (2023-07-14T20:07:27Z) - On the Security Risks of Knowledge Graph Reasoning [71.64027889145261]
We systematize the security threats to KGR according to the adversary's objectives, knowledge, and attack vectors.
We present ROAR, a new class of attacks that instantiate a variety of such threats.
We explore potential countermeasures against ROAR, including filtering of potentially poisoning knowledge and training with adversarially augmented queries.
arXiv Detail & Related papers (2023-05-03T18:47:42Z) - XSS for the Masses: Integrating Security in a Web Programming Course
using a Security Scanner [3.387494280613737]
Cybersecurity education is an important part of undergraduate computing curricula.
Many institutions teach it only in dedicated courses or tracks.
An alternative approach is to integrate cybersecurity concepts across non-security courses.
arXiv Detail & Related papers (2022-04-26T16:20:36Z) - Proceedings of the Artificial Intelligence for Cyber Security (AICS)
Workshop at AAAI 2022 [55.573187938617636]
The workshop will focus on the application of AI to problems in cyber security.
Cyber systems generate large volumes of data, utilizing this effectively is beyond human capabilities.
arXiv Detail & Related papers (2022-02-28T18:27:41Z) - Dos and Don'ts of Machine Learning in Computer Security [74.1816306998445]
Despite great potential, machine learning in security is prone to subtle pitfalls that undermine its performance.
We identify common pitfalls in the design, implementation, and evaluation of learning-based security systems.
We propose actionable recommendations to support researchers in avoiding or mitigating the pitfalls where possible.
arXiv Detail & Related papers (2020-10-19T13:09:31Z) - Adversarial Machine Learning Attacks and Defense Methods in the Cyber
Security Domain [58.30296637276011]
This paper summarizes the latest research on adversarial attacks against security solutions based on machine learning techniques.
It is the first to discuss the unique challenges of implementing end-to-end adversarial attacks in the cyber security domain.
arXiv Detail & Related papers (2020-07-05T18:22:40Z) - Experiences and Lessons Learned Creating and Validating Concept
Inventories for Cybersecurity [0.0]
Cybersecurity Concept Inventory (CCI) is for students who have recently completed any first course in cybersecurity.
The Cybersecurity Curriculum Assessment (CCA) is for students who have recently completed an undergraduate major or track in cybersecurity.
Each assessment tool comprises 25 multiple-choice questions (MCQs) of various difficulties that target the same five core concepts.
arXiv Detail & Related papers (2020-04-10T22:40:04Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.