Friday, October 30, 2015

Improving Application Security with University Students

Having seen the cost associated with fixing vulnerable code first hand, the Secure Code Warrior team is passionate about equipping developers with the skills necessary to prevent such flaws from being introduced in the first place.
Our intention was to build a gamified platform that could be used by seasoned software developers and newcomers alike. To achieve this, we worked with the University of Sydney to provide students of the INFO5010 class (an applied information security subject) with access to our platform for a month.
Together with the lecturer of the INFO5010 subject, Luke Anderson, the students completed SCW challenges in the JAVA language with a specific focus on Java Server Pages (JSP) and the JAVA Spring Framework. The objective here was to expose the students to secure coding practices and provide them with a comparative assessment of their own skill set.
The Secure Code Warrior platform ranks developers in four (4) maturity categories based on the number of challenges played and overall accuracy. We expected most students to end up in the “beginner” or “security aware” categories.
SCW maturity
Of the twenty-five (25) students who participated, three (3) students topped the leader board by solving even the most difficult JAVA Spring challenges. These students achieved the “Security Skilled” developer rank.
USYD2
Two (2) of them achieved the “Security Aware” scale but overall it was clear that the level of security knowledge of the students was diverse.
Most students gained points in the “data handling” vulnerabilities, which primarily includes things like SQL and Code Injections, Cross-Site Scripting, etc. The majority of the mistakes were made in the “authentication and access control” challenges.
Feedback from the students indicated that they generally found the challenges to be quite difficult. As a result, we have implemented some learning attributes to the platform which are able to provide further training for those that are still in the early stages of their skill development. It was great to see the students battling it out for the top of the leader board and it became clear the gamification of the platform engaged with the competitive nature of the students.
At the end of the month, the results were used to benchmark the students against their peers and from this they were awarded marks. This formed part their overall assessment for the course.
“Secure Code Warrior specifically assesses a respondent’s ability to identify security weaknesses in existing code and fix them. Writing assessments targeting this particular skill is quite difficult, which can lead to a dull experience for students. SCW provided my students with a series of challenging, fun and realistic scenarios that allowed me to effectively differentiate students in regard to this particular skill.” – Luke Anderson, University of Sydney
A big congratulations and thanks to all students of INFO5010 for their effort, courage and feedback while participating on our platform. We learned a lot from watching you play!