Pedagogical Assessment of Secure Coding in Student Programs

Saeed Al-Haj; Naeem Seliya; Collin Lee Kemner

Download Paper | Permalink

Conference: 2019 ASEE Annual Conference & Exposition
Location: Tampa, Florida
Publication Date: June 15, 2019
Start Date: June 15, 2019
End Date: June 19, 2019
Conference Session: Topics in Computing
Tagged Division: Computing and Information Technology
Page Count: 11
DOI: 10.18260/1-2--33163
Permanent URL: https://strategy.asee.org/33163
Download Count: 559

Request a correction

Paper Authors

biography

Saeed Al-Haj Ohio Northern University

visit author page

Dr. Saeed Al-Haj, PhD., is an Assistant Professor of Computer Science at Ohio Northern University, Ada, Ohio. He completed his Ph.D. in Computing and Informatics from the University of North Carolina Charlotte. His expertise and general interests include: Computer and Network Security; Security Analytics; Firewalls and Access Control Configuration Analytics; Computer Science Education and Cybersecurity Education. His teaching experiences include teaching Computer Science courses and labs, utilizing technology to maximize student learning process, developing curriculum and labs, and supervising undergraduate students projects.

visit author page

biography

Naeem Seliya Ph.D. Ohio Northern University

visit author page

Dr. Naeem (Jim) Seliya, PhD., is an Associate Professor of Computer Science at Ohio Northern University, Ada, Ohio, USA. His key expertise and interests include Data Science (i.e., Machine Learning, Big Data Analytics, Data Mining, Deep Learning, Data Quality, Feature Engineering, etc.), Software Engineering and Systems Development, Computing Sciences Pedagogy, Assistive Technology for Persons with Disabilities and the Elderly, Cyber Security Analytics, and Interdisciplinary/Applied Data Analytics. He has published about 90 peer-reviewed technical articles in international conferences and journals. Dr. Seliya is proactive in scholastic work and computing sciences pedagogy, including grants, undergraduate research, and curriculum development. His prior professional endeavors include: Assistant (& Associate) Professor of Computer and Information Science at the University of Michigan-Dearborn; Adjunct Instructor of Computer Science and Technology at the State University of New York, Orange; and, President and Senior Software Engineer at Health Safety Technologies, LLC.

visit author page

biography

Collin Lee Kemner Ohio Northern University

visit author page

Mr. Collin Lee Kemner is a current student at Ohio Northern University. He is set to graduate with a B.S. in Computer Science in May 2019. His general expertise and interests include: IoT and Network Technologies, iOS application development, and Secure programming. He has recently published his first ASEE paper and presented at the ASEE NCS Section in March 2019 with his senior capstone team, SoT (Secure of Things).

visit author page

Download Paper | Permalink

Abstract

Students in introductory Computer Science (CS) courses are required to submit several programming assignments and/or projects. The submitted programs are largely assessed on their correctness to the given problem, and not against secure software coding practices. In our experience, student programs typically do not follow secure coding practices, making them susceptible to security problems. Given the general lack of strong emphasis on security concepts in introductory programming courses, students tend to neglect applying secure coding practices.

The goal of this “Work in Progress” is helping students to reduce vulnerabilities in their programs and eliminate coding errors. We will investigate how errors occur, how students interpret and correct these errors, develop metrics to measure how coding standards for security are used, and provide informative feedback and actionable guidelines to students and instructors. The analysis will emphasize security Knowledge Skills and Abilities (KSAs) identified within the National Initiative Cybersecurity Education (NICE) Framework [1]. A list of secure coding practices was compiled using two different resources: SEI CERT Coding Standard [2] and Open Web Application Security Project (OWASP) [3]. The selected coding practices are applicable to C++ and Java. Each secure coding practice is assigned a weight reflecting its importance and severity.

We consider a set of 43 students’ programming assignments in C++ and Java, with all of them being anonymized for Personally Identifiable Information. Each assignment typically has different coding practices that are relevant, which is a result of the difference in requirements among assignments. The problem description of each assignment is analyzed to determine the applicable secure coding practices to each submitted assignment. Our quantitative analysis gives a score out of five to each secure coding practice based on the extent it was implemented: zero implies a rule is not being addressed, while five implies a rule is implemented effectively. Any score between zero and five is based on varying degrees of effectiveness. Subsequently, rules that consistently did not score high for the programs will be given to instructors as a recommended focus in relevant CS courses.

We are currently working on collecting additional student assignments and projects from different courses in different levels, e.g., CS I, CS II, Data Structures, and Software Design Patterns. The quantitative/qualitative analysis of our study have the following key outcomes: 1) Assist instructors in identifying shortcomings of expected good programming practices and secure coding practices in student programs, lending to customized lessons for the introductory programming courses in CS; 2) Bring awareness of secure coding to students in the early stages in their learning process. Many security problems are related to the lack of awareness of possible threats and vulnerabilities; and, 3) Provide feedback to students on their own program solution in terms of its structure and design. This allows students to identify problems and vulnerabilities in their coding design, and rectify the same as they move along in the CS curriculum.

Citation
Format

Al-Haj, S., & Seliya, N., & Kemner, C. L. (2019, June), Pedagogical Assessment of Secure Coding in Student Programs Paper presented at 2019 ASEE Annual Conference & Exposition , Tampa, Florida. 10.18260/1-2--33163

TY - CPAPER
AB - Students in introductory Computer Science (CS) courses are required to submit several programming assignments and/or projects. The submitted programs are largely assessed on their correctness to the given problem, and not against secure software coding practices. In our experience, student programs typically do not follow secure coding practices, making them susceptible to security problems. Given the general lack of strong emphasis on security concepts in introductory programming courses, students tend to neglect applying secure coding practices.

The goal of this “Work in Progress” is helping students to reduce vulnerabilities in their programs and eliminate coding errors. We will investigate how errors occur, how students interpret and correct these errors, develop metrics to measure how coding standards for security are used, and provide informative feedback and actionable guidelines to students and instructors. The analysis will emphasize security Knowledge Skills and Abilities (KSAs) identified within the National Initiative Cybersecurity Education (NICE) Framework [1]. A list of secure coding practices was compiled using two different resources: SEI CERT Coding Standard [2] and Open Web Application Security Project (OWASP) [3]. The selected coding practices are applicable to C++ and Java. Each secure coding practice is assigned a weight reflecting its importance and severity.

We consider a set of 43 students’ programming assignments in C++ and Java, with all of them being anonymized for Personally Identifiable Information. Each assignment typically has different coding practices that are relevant, which is a result of the difference in requirements among assignments. The problem description of each assignment is analyzed to determine the applicable secure coding practices to each submitted assignment. Our quantitative analysis gives a score out of five to each secure coding practice based on the extent it was implemented: zero implies a rule is not being addressed, while five implies a rule is implemented effectively. Any score between zero and five is based on varying degrees of effectiveness. Subsequently, rules that consistently did not score high for the programs will be given to instructors as a recommended focus in relevant CS courses.

We are currently working on collecting additional student assignments and projects from different courses in different levels, e.g., CS I, CS II, Data Structures, and Software Design Patterns. The quantitative/qualitative analysis of our study have the following key outcomes: 1) Assist instructors in identifying shortcomings of expected good programming practices and secure coding practices in student programs, lending to customized lessons for the introductory programming courses in CS; 2) Bring awareness of secure coding to students in the early stages in their learning process. Many security problems are related to the lack of awareness of possible threats and vulnerabilities; and, 3) Provide feedback to students on their own program solution in terms of its structure and design. This allows students to identify problems and vulnerabilities in their coding design, and rectify the same as they move along in the CS curriculum.

AU - Saeed Al-Haj
AU - Naeem Seliya Ph.D.
AU - Collin Lee Kemner
CY - Tampa, Florida
DA - 2019/06/15
PB - ASEE Conferences
TI - Pedagogical Assessment of Secure Coding in Student Programs
UR - https://strategy.asee.org/33163
DO - 10.18260/1-2--33163
ER -