A framework for teaching secure coding practices through a blended learning approach

Abstract

With the recent increase in cyber-related attacks, cybersecurity is becoming a key area of concern for many organisations. Cybersecurity vulnerabilities are typically addressed through the implementation of various cybersecurity controls. These controls can be operational, technical or physical in nature. The focus of this research, however, is on technical controls with a specific focus on securing web applications. This research investigated whether third year software development students at the Nelson Mandela University adhered to secure coding practices in their capstone projects. In order to determine adherence, secure coding practices were identified from OWASP for the data access layer in web applications developed in the .NET environment. This was addressed by Secondary Objective, which was To determine what secure coding practices a web application developer should adhere to in the .NET environment. These secure coding practices were used to conduct a code review on 2015 third year capstone projects, and addressed Secondary Objective, To determine the adherence of third year software development capstone projects to the identified secure coding practices. The results for the code review were analysed and indicated low levels of adherence which led to the Problem Statement of this research, namely: Undergraduate software development students do not consistently adhere to secure coding practices when developing their third-year capstone projects, thereby leading to vulnerabilities in their web applications. In order to address this Problem Statement, the Primary Objective was identified, To develop a framework for teaching secure coding practices through a blended learning approach. Secondary Objective, To determine whether third year software development students have the requisite knowledge relating to secure coding, took the form of a questionnaire to assess students' knowledge relating to secure coding practices. This required the achievement of further sub-objectives which addressed both the knowledge and behaviour of software development students. The results of this questionnaire indicated that many of the third-year software development students lacked the requisite knowledge. This lack of knowledge and adherence was addressed through an educational intervention, meeting Secondary Objective, To design and implement an educational intervention to support software development students in the development of secure web applications. In terms of knowledge, online lessons were developed addressing each of the secure coding practices identified. In order to address adherence, students were given a checklist to monitor their adherence to the identified secure coding practices. Secondary Objective, To determine the exact of the educational intervention on both student adherence and their requisite knowledge regarding secure coding practices, involved the varication of the educational intervention, and comprised of two components, knowledge and behaviour. Knowledge varication took the form of an online questionnaire given to 2017 third year project students. To address behavioural adherence, the researcher conducted a code review on the 2017 capstone projects. The results from the varication showed a general improvement in students' knowledge and high levels of adherence to secure coding practices. Finally, a framework was developed that encompassed the key elements of this research, thereby providing guidance to support the development of se cure web applications in higher education institutions and meeting the primary objective of this study