10 research outputs found
CyberSecurity Challenges: Serious Games for Awareness Training in Industrial Environments
Awareness of cybersecurity topics, e.g., related to secure coding guidelines,
enables software developers to write secure code. This awareness is vital in
industrial environments for the products and services in critical
infrastructures. In this work, we introduce and discuss a new serious game
designed for software developers in the industry. This game addresses software
developers' needs and is shown to be well suited for raising secure coding
awareness of software developers in the industry. Our work results from the
experience of the authors gained in conducting more than ten CyberSecurity
Challenges in the industry. The presented game design, which is shown to be
well accepted by software developers, is a novel alternative to traditional
classroom training. We hope to make a positive impact in the industry by
improving the cybersecurity of products at their early production stages.Comment: Preprint accepted for publication at the 17. Deutscher
IT-Sicherheitskongress. arXiv admin note: substantial text overlap with
arXiv:2102.0534
CyberSecurity Challenges for Software Developer Awareness Training in Industrial Environments
Awareness of cybersecurity topics facilitates software developers to produce
secure code. This awareness is especially important in industrial environments
for the products and services in critical infrastructures. In this work, we
address how to raise awareness of software developers on the topic of secure
coding. We propose the "CyberSecurity Challenges", a serious game designed to
be used in an industrial environment and address software developers' needs.
Our work distils the experience gained in conducting these CyberSecurity
Challenges in an industrial setting. The main contributions are the design of
the CyberSecurity Challenges events, the analysis of the perceived benefits,
and practical advice for practitioners who wish to design or refine these
games.Comment: Preprint accepted for publication at the 16th International
Conference on Wirtschaftsinformati
Automated Java Challenges\u27 Security Assessment for Training in Industry - Preliminary Results
Secure software development is a crucial topic that companies need to address to develop high-quality software. However, it has been shown that software developers lack secure coding awareness. In this work, we use a serious game approach that presents players with Java challenges to raise Java programmers' secure coding awareness. Towards this, we adapted an existing platform, embedded in a serious game, to assess Java secure coding exercises and performed an empirical study. Our preliminary results provide a positive indication of our solution's viability as a means of secure software development training. Our contribution can be used by practitioners and researchers alike through an overview on the implementation of automatic security assessment of Java CyberSecurity Challenges and their evaluation in an industrial context.info:eu-repo/semantics/publishedVersio
Raising Security Awareness using Cybersecurity Challenges in Embedded Programming Courses
Security bugs are errors in code that, when exploited, can lead to serious
software vulnerabilities. These bugs could allow an attacker to take over an
application and steal information. One of the ways to address this issue is by
means of awareness training. The Sifu platform was developed in the industry,
for the industry, with the aim to raise software developers' awareness of
secure coding. This paper extends the Sifu platform with three challenges that
specifically address embedded programming courses, and describes how to
implement these challenges, while also evaluating the usefulness of these
challenges to raise security awareness in an academic setting. Our work
presents technical details on the detection mechanisms for software
vulnerabilities and gives practical advice on how to implement them. The
evaluation of the challenges is performed through two trial runs with a total
of 16 participants. Our preliminary results show that the challenges are
suitable for academia, and can even potentially be included in official
teaching curricula. One major finding is an indicator of the lack of awareness
of secure coding by undergraduates. Finally, we compare our results with
previous work done in the industry and extract advice for practitioners.Comment: Preprint accepted for publication at the First International
Conference on Code Quality (ICCQ 2021
Exploring a Board Game to Improve Cloud Security Training in Industry (Short Paper)
Nowadays, companies are increasingly using cloud-based platform for its convenience and flexibility. However, companies still need to protect their assets when deploying their infrastructure in the cloud. Over the last years, the number of cloud-specific vulnerabilities has been increasing. In this work, we introduce a serious game to help participants to understand the inherent risks, understand the different roles, and to encourage proactive defensive thinking. Our game includes an automated evaluator as a novel element. The players are invited to build defense plans and attack plans, which will be checked by the evaluator. We design the game and organize a trial-run in an industrial setting. Our preliminary results bring insight into the design of such a game, and constitute the first step in a research using design science
Awareness of Secure Coding Guidelines in the Industry -- A first data analysis
Software needs to be secure, in particular, when deployed to critical
infrastructures. Secure coding guidelines capture practices in industrial
software engineering to ensure the security of code. This study aims to assess
the level of awareness of secure coding in industrial software engineering, the
skills of software developers to spot weaknesses in software code, avoid them,
and the organizational support to adhere to coding guidelines. The approach
draws on well-established theories of policy compliance, neutralization theory,
and security-related stress and the authors' many years of experience in
industrial software engineering and on lessons identified from training secure
coding in the industry. The paper presents the questionnaire design for the
online survey and the first analysis of data from the pilot study.Comment: Preprint accepted for publication at The 19th IEEE International
Conference on Trust, Security and Privacy in Computing and Communications
(IEEE TrustCom 2020
I\u27m Sorry Dave, I\u27m Afraid I Can\u27t Fix Your Code: On ChatGPT, CyberSecurity, and Secure Coding
Software security is an important topic that is gaining more and more attention due to the rising number of publicly known cybersecurity incidents. Previous research has shown that one way to address software security is by means of a serious game, the CyberSecurity Challenges, which are designed to raise awareness of software developers of secure coding guidelines. This game, which has been proven to be very successful in the industry, makes use of an artificial intelligence technique (laddering technique) to implement a chatbot for human-machine interaction.
Recent advances in machine learning led to a breakthrough, with the implementation of ChatGPT by OpenAI. This algorithm has been trained in a large amount of data and is capable of analysing and interpreting not only natural language, but also small code snippets containing source code in different programming languages. With the advent of ChatGPT, and previous state-of-the-art research in secure software development, a natural question arises: to which extent can ChatGPT aid software developers in writing secure software?.
In this paper, we draw on our experience in the industry, and also on extensive previous work to analyse and reflect on how to use ChatGPT to aid secure software development. Towards this, we run a small experiment using five different vulnerable code snippets. Our interactions with ChatGPT allow us to conclude on advantages, disadvantages and limitations of the usage of this new technology