Secure coding intention via protection motivation theory based survey

Abstract. According to studies, programming skills are obtained by a large number of persons but most of them lack the ability to produce secure software. This statement reflects the essence of this thesis and provides a direction to problem solving. The focus of this study is a research into the possibility of using a questionnaire prepared with the use of a protection motivation theory (PMT) to provide a indication of intention for software developers towards secure programming techniques. This study answers the following research question: Can secure programming intention be aroused with a PMT questionnaire? The questionnaire consists of three categories: background-, awareness-/knowledge- and PMT questions. Background questions are used to identify the focus group. Awareness and knowledge questions are used to provide secure coding information which is reflected by cognitive thinking via PMT questions. The questionnaire was built as web survey and distributed via professional social network. The questionnaire uses focused subject group working in micro and small enterprises (<50 employees). The study results are analysed against PMT components to validate focus group selection as a correct choice. Survey findings analysed in qualitative manner (partly in quantitative), indicates that majority of subjects created intention towards studying or using secure coding techniques. The focus group PMT analysis results shows that in each PMT section, at least over half indicated positive response into it. These results will provide a deeper research direction for how to promote secure coding

Computer Science Education: Secure Software

Computer security problems have been increasing significantly as the Internet has been increasing the means to both access and to distribute both code and data. Attempts to address these problems through computer science education by focusing on information security, network security, and system security have not been entirely successful. The security problems are serious enough at this time that both industry and academia are looking for other solutions and even for other partial solutions. One of these proposed partial solutions focuses the security investigations on the commonality that underlies all software: code.The author proposed that all computer science undergraduates should be required to take a computer security course that focuses on code security early in their undergraduate program. The objectives of this course would be to teach the importance of code security, to instruct in practical coding techniques for making programs more secure, and to provide practice in these secure coding techniques.The author has taught an introductory security course with emphasis in code security over the course of one semester during this research project. The students in the course ranged from second semester freshman, straight out of Computer Science I, to seniors graduating at the end of that semester. While results from the pre-test and post-test surveys completed by course subjects were mixed, they suggested that the course was at least partially successful. The students did seem to have a better understanding of computer security but seem to have not improved as much within the area of secure coding as the author had anticipated. The author feels that more repetition and feedback on the writing of secure code will improve the course the next time it is offered.The author believes these proposals are not a perfect solution for the present computer security problem. However, the author does believe that these proposals are a valid partial solution.Computer Science Departmen