19,086 research outputs found

    Automated Java Challenges\u27 Security Assessment for Training in Industry - Preliminary Results

    Get PDF
    Secure software development is a crucial topic that companies need to address to develop high-quality software. However, it has been shown that software developers lack secure coding awareness. In this work, we use a serious game approach that presents players with Java challenges to raise Java programmers' secure coding awareness. Towards this, we adapted an existing platform, embedded in a serious game, to assess Java secure coding exercises and performed an empirical study. Our preliminary results provide a positive indication of our solution's viability as a means of secure software development training. Our contribution can be used by practitioners and researchers alike through an overview on the implementation of automatic security assessment of Java CyberSecurity Challenges and their evaluation in an industrial context.info:eu-repo/semantics/publishedVersio

    Automated Java challenges' security assessment for training in industry: Preliminary results

    Get PDF
    Secure software development is a crucial topic that companies need to address to develop high-quality software. However, it has been shown that software developers lack secure coding awareness. In this work, we use a serious game approach that presents players with Java challenges to raise Java programmers' secure coding awareness. Towards this, we adapted an existing platform, embedded in a serious game, to assess Java secure coding exercises and performed an empirical study. Our preliminary results provide a positive indication of our solution's viability as a means of secure software development training. Our contribution can be used by practitioners and researchers alike through an overview on the implementation of automatic security assessment of Java CyberSecurity Challenges and their evaluation in an industrial context.info:eu-repo/semantics/publishedVersio

    Cybersecurity awareness platform with virtual coach and automated challenge assessment

    Get PDF
    Over the last years, the number of cyber-attacks on industrial control systems has been steadily increasing. Among several factors, proper software development plays a vital role in keeping these systems secure. To achieve secure software, developers need to be aware of secure coding guidelines and secure coding best practices. This work presents a platform geared towards software developers in the industry that aims to increase awareness of secure software development. The authors also introduce an interactive game component, a virtual coach, which implements a simple artificial intelligence engine based on the laddering technique for interviews. Through a survey, a preliminary evaluation of the implemented artifact with real-world players (from academia and industry) shows a positive acceptance of the developed platform. Furthermore, the players agree that the platform is adequate for training their secure coding skills. The impact of our work is to introduce a new automatic challenge evaluation method together with a virtual coach to improve existing cybersecurity awareness training programs. These training workshops can be easily held remotely or off-line.info:eu-repo/semantics/acceptedVersio

    Cybersecurity Awareness Platform with Virtual Coach and Automated Challenge Assessment

    Get PDF
    Over the last years, the number of cyber-attacks on industrial control systems has been steadily increasing. Among several factors, proper software development plays a vital role in keeping these systems secure. To achieve secure software, developers need to be aware of secure coding guidelines and secure coding best practices. This work presents a platform geared towards software developers in the industry that aims to increase awareness of secure software development. The authors also introduce an interactive game component, a virtual coach, which implements a simple artificial intelligence engine based on the laddering technique for interviews. Through a survey, a preliminary evaluation of the implemented artifact with real-world players (from academia and industry) shows a positive acceptance of the developed platform. Furthermore, the players agree that the platform is adequate for training their secure coding skills. The impact of our work is to introduce a new automatic challenge evaluation method together with a virtual coach to improve existing cybersecurity awareness training programs. These training workshops can be easily held remotely or off-line.Comment: Preprint accepted for publication at the 6th Workshop On The Security Of Industrial Control Systems & Of Cyber-Physical Systems (CyberICPS 2020

    Trusted CI Experiences in Cybersecurity and Service to Open Science

    Full text link
    This article describes experiences and lessons learned from the Trusted CI project, funded by the US National Science Foundation to serve the community as the NSF Cybersecurity Center of Excellence. Trusted CI is an effort to address cybersecurity for the open science community through a single organization that provides leadership, training, consulting, and knowledge to that community. The article describes the experiences and lessons learned of Trusted CI regarding both cybersecurity for open science and managing the process of providing centralized services to a broad and diverse community.Comment: 8 pages, PEARC '19: Practice and Experience in Advanced Research Computing, July 28-August 1, 2019, Chicago, IL, US

    The future of Cybersecurity in Italy: Strategic focus area

    Get PDF
    This volume has been created as a continuation of the previous one, with the aim of outlining a set of focus areas and actions that the Italian Nation research community considers essential. The book touches many aspects of cyber security, ranging from the definition of the infrastructure and controls needed to organize cyberdefence to the actions and technologies to be developed to be better protected, from the identification of the main technologies to be defended to the proposal of a set of horizontal actions for training, awareness raising, and risk management

    A framework for teaching secure coding practices through a blended learning approach

    Get PDF
    With the recent increase in cyber-related attacks, cybersecurity is becoming a key area of concern for many organisations. Cybersecurity vulnerabilities are typically addressed through the implementation of various cybersecurity controls. These controls can be operational, technical or physical in nature. The focus of this research, however, is on technical controls with a specific focus on securing web applications. This research investigated whether third year software development students at the Nelson Mandela University adhered to secure coding practices in their capstone projects. In order to determine adherence, secure coding practices were identified from OWASP for the data access layer in web applications developed in the .NET environment. This was addressed by Secondary Objective, which was To determine what secure coding practices a web application developer should adhere to in the .NET environment. These secure coding practices were used to conduct a code review on 2015 third year capstone projects, and addressed Secondary Objective, To determine the adherence of third year software development capstone projects to the identified secure coding practices. The results for the code review were analysed and indicated low levels of adherence which led to the Problem Statement of this research, namely: Undergraduate software development students do not consistently adhere to secure coding practices when developing their third-year capstone projects, thereby leading to vulnerabilities in their web applications. In order to address this Problem Statement, the Primary Objective was identified, To develop a framework for teaching secure coding practices through a blended learning approach. Secondary Objective, To determine whether third year software development students have the requisite knowledge relating to secure coding, took the form of a questionnaire to assess students' knowledge relating to secure coding practices. This required the achievement of further sub-objectives which addressed both the knowledge and behaviour of software development students. The results of this questionnaire indicated that many of the third-year software development students lacked the requisite knowledge. This lack of knowledge and adherence was addressed through an educational intervention, meeting Secondary Objective, To design and implement an educational intervention to support software development students in the development of secure web applications. In terms of knowledge, online lessons were developed addressing each of the secure coding practices identified. In order to address adherence, students were given a checklist to monitor their adherence to the identified secure coding practices. Secondary Objective, To determine the exact of the educational intervention on both student adherence and their requisite knowledge regarding secure coding practices, involved the varication of the educational intervention, and comprised of two components, knowledge and behaviour. Knowledge varication took the form of an online questionnaire given to 2017 third year project students. To address behavioural adherence, the researcher conducted a code review on the 2017 capstone projects. The results from the varication showed a general improvement in students' knowledge and high levels of adherence to secure coding practices. Finally, a framework was developed that encompassed the key elements of this research, thereby providing guidance to support the development of se cure web applications in higher education institutions and meeting the primary objective of this study

    A framework for teaching secure coding practices through a blended learning approach

    Get PDF
    With the recent increase in cyber-related attacks, cybersecurity is becoming a key area of concern for many organisations. Cybersecurity vulnerabilities are typically addressed through the implementation of various cybersecurity controls. These controls can be operational, technical or physical in nature. The focus of this research, however, is on technical controls with a specific focus on securing web applications. This research investigated whether third year software development students at the Nelson Mandela University adhered to secure coding practices in their capstone projects. In order to determine adherence, secure coding practices were identified from OWASP for the data access layer in web applications developed in the .NET environment. This was addressed by Secondary Objective, which was To determine what secure coding practices a web application developer should adhere to in the .NET environment. These secure coding practices were used to conduct a code review on 2015 third year capstone projects, and addressed Secondary Objective, To determine the adherence of third year software development capstone projects to the identified secure coding practices. The results for the code review were analysed and indicated low levels of adherence which led to the Problem Statement of this research, namely: Undergraduate software development students do not consistently adhere to secure coding practices when developing their third-year capstone projects, thereby leading to vulnerabilities in their web applications. In order to address this Problem Statement, the Primary Objective was identified, To develop a framework for teaching secure coding practices through a blended learning approach. Secondary Objective, To determine whether third year software development students have the requisite knowledge relating to secure coding, took the form of a questionnaire to assess students' knowledge relating to secure coding practices. This required the achievement of further sub-objectives which addressed both the knowledge and behaviour of software development students. The results of this questionnaire indicated that many of the third-year software development students lacked the requisite knowledge. This lack of knowledge and adherence was addressed through an educational intervention, meeting Secondary Objective, To design and implement an educational intervention to support software development students in the development of secure web applications. In terms of knowledge, online lessons were developed addressing each of the secure coding practices identified. In order to address adherence, students were given a checklist to monitor their adherence to the identified secure coding practices. Secondary Objective, To determine the exact of the educational intervention on both student adherence and their requisite knowledge regarding secure coding practices, involved the varication of the educational intervention, and comprised of two components, knowledge and behaviour. Knowledge varication took the form of an online questionnaire given to 2017 third year project students. To address behavioural adherence, the researcher conducted a code review on the 2017 capstone projects. The results from the varication showed a general improvement in students' knowledge and high levels of adherence to secure coding practices. Finally, a framework was developed that encompassed the key elements of this research, thereby providing guidance to support the development of se cure web applications in higher education institutions and meeting the primary objective of this study

    Idea-caution before exploitation:the use of cybersecurity domain knowledge to educate software engineers against software vulnerabilities

    Get PDF
    The transfer of cybersecurity domain knowledge from security experts (‘Ethical Hackers’) to software engineers is discussed in terms of desirability and feasibility. Possible mechanisms for the transfer are critically examined. Software engineering methodologies do not make use of security domain knowledge in its form of vulnerability databases (e.g. CWE, CVE, Exploit DB), which are therefore not appropriate for this purpose. An approach based upon the improved use of pattern languages that encompasses security domain knowledge is proposed
    • …
    corecore