Skip to main content
Springer Nature Link
Log in

Design of Secure Coding Challenges for Cybersecurity Education in the Industry

  • Conference paper
  • First Online:
Quality of Information and Communications Technology (QUATIC 2020)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1266))

Abstract

According to a recent survey with more than 4000 software developers, “less than half of developers can spot security holes”. As a result, software products present a low-security quality expressed by vulnerabilities that can be exploited by cyber-criminals. This lack of quality and security is particularly dangerous if the software which contains the vulnerabilities is deployed in critical infrastructures. Serious games, and in particular, Capture-the-Flag (CTF) events, have shown promising results in improving secure coding awareness of software developers in the industry. The challenges in the CTF event, to be useful, must be adequately designed to address the target group. This paper presents novel contributions by investigating which challenge types are adequate to improve software developers’ ability to write secure code in an industrial context. We propose 1) six challenge types usable in the industry context, and 2) a structure for the CTF challenges. Our investigation also presents results on 3) how to include hints and penalties into the cyber-security challenges. We evaluated our work through a survey with security experts. While our results show that “traditional” challenge types seem to be adequate, they also reveal a new class of challenges based on code entry and interaction with an automated coach.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
€34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
EUR 29.95
Price includes VAT (Germany)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
EUR 42.79
Price includes VAT (Germany)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
EUR 53.49
Price includes VAT (Germany)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

') var buybox = document.querySelector("[data-id=id_"+ timestamp +"]").parentNode var buyingOptions = buybox.querySelectorAll(".buying-option") ;[].slice.call(buyingOptions).forEach(initCollapsibles) var buyboxMaxSingleColumnWidth = 480 function initCollapsibles(subscription, index) { var toggle = subscription.querySelector(".buying-option-price") subscription.classList.remove("expanded") var form = subscription.querySelector(".buying-option-form") var priceInfo = subscription.querySelector(".price-info") var buyingOption = toggle.parentElement if (toggle && form && priceInfo) { toggle.setAttribute("role", "button") toggle.setAttribute("tabindex", "0") toggle.addEventListener("click", function (event) { var expandedBuyingOptions = buybox.querySelectorAll(".buying-option.expanded") var buyboxWidth = buybox.offsetWidth ;[].slice.call(expandedBuyingOptions).forEach(function(option) { if (buyboxWidth buyboxMaxSingleColumnWidth) { toggle.click() } else { if (index === 0) { toggle.click() } else { toggle.setAttribute("aria-expanded", "false") form.hidden = "hidden" priceInfo.hidden = "hidden" } } }) } initialStateOpen() if (window.buyboxInitialised) return window.buyboxInitialised = true initKeyControls() })()

Institutional subscriptions

Similar content being viewed by others

References

  1. Acar, Y., Stransky, C., Wermke, D., Weir, C., Mazurek, M.L., Fahl, S.: Developers need support, too: a survey of security advice for software developers. In: 2017 IEEE Cybersecurity Development (SecDev), pp. 22–26. IEEE, September 2017

    Google Scholar 

  2. Aoyama, T., Nakano, T., Koshijima, I., Hashimoto, Y., Watanabe, K.: On the complexity of cybersecurity exercises proportional to preparedness. J. Disaster Res. 12(5), 1081–1090 (2017)

    Article  Google Scholar 

  3. Barela, J., Gasiba, E.T., Suppan, S., Berges, M., Beckers, K.: When interactive graphic storytelling fails. In: 2019 IEEE 27th International Requirements Engineering Conference Workshops (REW), pp. 164–169. IEEE, September 2019

    Google Scholar 

  4. Beuran, R., Chinen, K.I., Tan, Y., Shinoda, Y.: Towards effective cybersecurity education and training. Research report. School of Information Science, Graduate School of Advanced Science and Technology, Japan Advanced Institute of Science and Technology. IS-RR-2016, April 2016, pp. 1–16 (2016)

    Google Scholar 

  5. Carnegie Mellon University: SEI-CERT coding standards. https://wiki.sei.cmu.edu/confluence/display/seccode

  6. Chung, K., Cohen, J.: Learning obstacles in the capture the flag model. In: 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE 2014). USENIX Association, San Diego (2014)

    Google Scholar 

  7. CTFtime team: CTFTime - all about CTF. https://ctftime.org

  8. Davis, A., Leek, T., Zhivich, M., Gwinnup, K., Leonard, W.: The fun and future of CTF. In: 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE 2014). USENIX Association, San Diego (2014)

    Google Scholar 

  9. Dörner, R., Göbel, S., Effelsberg, W., Wiemeyer, J.: Serious Games: Foundations, Concepts and Practice, 1st edn. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40612-1

    Book  Google Scholar 

  10. Gasiba, T., Beckers, K., Suppan, S., Rezabek, F.: On the requirements for serious games geared towards software developers in the industry. In: Damian, D.E., Perini, A., Lee, S. (eds.) 27th IEEE International Requirements Engineering Conference, RE 2019, Jeju Island, Korea (South), 23–27 September 2019. IEEE (2019)

    Google Scholar 

  11. Graziotin, D., Fagerholm, F., Wang, X., Abrahamsson, P.: What happens when software developers are (un)happy. J. Syst. Softw. 140, 32–47 (2018)

    Article  Google Scholar 

  12. Groves, R.M., Fowler, F., Couper, M., Lepkowski, J., Singer, E.: Survey Methodology, 2nd edn. Wiley, Hoboken (2009)

    MATH  Google Scholar 

  13. Gonzalez, H., Llamas, R., Ordaz, F.: Cybersecurity teaching through gamification: aligning training resources to our syllabus. Res. Comput. Sci. 146, 35–43 (2017). https://doi.org/10.13053/rcs-146-1-4

    Article  Google Scholar 

  14. Hänsch, N., Zinaida, B.: Specifying IT security awareness. In: 25th International Workshop on Database and Expert Systems Applications, Munich, Germany, pp. 326–330, September 2014

    Google Scholar 

  15. IEC 62443-4-1: Security for industrial automation and control systems - part 4–1: secure product development lifecycle requirements. Standard, International Electrotechnical Commission, January 2018

    Google Scholar 

  16. ISO: ISO 250xx Series. Standard, International Organization for Standardization, Geneva, CH (2005). http://iso25000.com/index.php/en/iso-25000-standards

  17. ISO 27002: Information technology - security techniques - code of practice for information security controls. Standard, International Organization for Standardization, Geneva, CH, October 2013

    Google Scholar 

  18. Krosnick, J.A.: Questionnaire design. In: Vannette, D.L., Krosnick, J.A. (eds.) The Palgrave Handbook of Survey Research, pp. 439–455. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-54395-6_53

    Chapter  Google Scholar 

  19. Mirkovic, J., Peterson, P.: Class capture-the-flag exercises. In: 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE 2014) (2014)

    Google Scholar 

  20. Nance, K., Hay, B., Bishop, M.: Secure coding education: are we making progress? In: 16th Colloquium for Information Systems Security Education, pp. 83–88, June 2012

    Google Scholar 

  21. OWASP Top 10. https://www.owasp.org/images/7/72/OWASP_Top_10-2017_(en).pdf. Accessed June 2019

  22. Oyetoyan, T.D., Milosheska, B., Grini, M., Soares Cruzes, D.: Myths and facts about static application security testing tools: an action research at telenor digital. In: Garbajosa, J., Wang, X., Aguiar, A. (eds.) XP 2018. LNBIP, vol. 314, pp. 86–103. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-91602-6_6

    Chapter  Google Scholar 

  23. Patel, S.: 2019 global developer report: DevSecOps finds security roadblocks divide teams, July 2020. https://about.gitlab.com/blog/2019/07/15/global-developer-report/. Accessed 15 July 2019

  24. Rodriguez, M., Piattini, M., Ebert, C.: Software verification and validation technologies and tools. IEEE Softw. 36(2), 13–24 (2019)

    Article  Google Scholar 

  25. SAFECode charter members: SAFECode - software assurance forum for excellence in code. https://safecode.org

  26. Schneier, B.: Software developers and security, July 2020. https://www.schneier.com/blog/archives/2019/07/software_develo.html. Accessed 25 July 2019

  27. Schonlau, M., Couper, M.: Semi-automated categorization of open-ended questions. Surv. Res. Methods 10(2), 143–152 (2016). https://ojs.ub.uni-konstanz.de/srm/article/view/6213

  28. Seaman, C.: Qualitative methods in empirical studies of software engineering. IEEE Trans. Softw. Eng. 25(4), 557–572 (1999)

    Article  Google Scholar 

  29. Smith, C.: Content analysis and narrative analysis. In: Handbook of Research Methods in Social and Personality Psychology, pp. 313–335 (2000)

    Google Scholar 

  30. Tews, M.J., Noe, R.A.: Does training have to be fun? A review and conceptual model of the role of fun in workplace training. Hum. Resour. Manag. Rev. 29(2), 226–238 (2019)

    Article  Google Scholar 

  31. Whiting, L.: Semi-structured interviews: guidance for novice researchers. Nurs. Stand. 22, 35–40 (2008)

    Article  Google Scholar 

  32. Woody, C., Ellison, R., Nichols, W.: Predicting cybersecurity using quality data. In: 2015 IEEE International Symposium on Technologies for Homeland Security (HST), pp. 1–5. IEEE (2015)

    Google Scholar 

  33. Yang, X.L., Lo, D., Xia, X., Wan, Z.Y., Sun, J.L.: What security questions do developers ask? A large-scale study of stack overflow posts. J. Comput. Sci. Technol. 31(5), 910–924 (2016)

    Article  Google Scholar 

Download references

Acknowledgement

This work is financed by portuguese national funds through FCT - Fundação para a Ciência e Tecnologia, I.P., under the project FCT UIDB/04466/2020. Furthermore, the third author thanks the Instituto Universitário de Lisboa and ISTAR-IUL, for their support.

Author information

Authors and Affiliations

  1. Siemens AG, Munich, Germany

    Tiago Gasiba

  2. Universität der Bundeswehr München, Munich, Germany

    Tiago Gasiba & Ulrike Lechner

  3. Instituto Universitário de Lisboa (ISCTE-IUL), ISTAR-IUL, Lisboa, Portugal

    Maria Pinto-Albuquerque

  4. Universität Passau, Passau, Germany

    Alae Zouitni

Authors
  1. Tiago Gasiba
    View author publications

    Search author on:PubMed Google Scholar

  2. Ulrike Lechner
    View author publications

    Search author on:PubMed Google Scholar

  3. Maria Pinto-Albuquerque
    View author publications

    Search author on:PubMed Google Scholar

  4. Alae Zouitni
    View author publications

    Search author on:PubMed Google Scholar

Corresponding author

Correspondence to Tiago Gasiba .

Editor information

Editors and Affiliations

  1. Brunel University, London, UK

    Martin Shepperd

  2. Lisbon University Institute, Lisbon, Portugal

    Fernando Brito e Abreu

  3. University of Lisbon, Lisbon, Portugal

    Alberto Rodrigues da Silva

  4. University of Castilla-La Mancha, Talavera de la Reina, Spain

    Ricardo Pérez-Castillo

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Gasiba, T., Lechner, U., Pinto-Albuquerque, M., Zouitni, A. (2020). Design of Secure Coding Challenges for Cybersecurity Education in the Industry. In: Shepperd, M., Brito e Abreu, F., Rodrigues da Silva, A., Pérez-Castillo, R. (eds) Quality of Information and Communications Technology. QUATIC 2020. Communications in Computer and Information Science, vol 1266. Springer, Cham. https://doi.org/10.1007/978-3-030-58793-2_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-58793-2_18

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-58792-5

  • Online ISBN: 978-3-030-58793-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics