Embedding Secure Coding Instruction Into the IDE: Complementing Early and Intermediate CS Courses With ESIDE

Abstract: Many of the software security vulnerabilities that people face today can be remediated through secure coding practices. A critical step toward the practice of secure coding is ensuring that our computing students are educated on these practices. We argue that secure coding education needs to be included across a computing curriculum. We are examining an approach that complements traditional classroom instruction by turning the student's integrated development environment into an educational resource for secure… Show more

“…[4][5][6]11 Shorter feedback loops also result in better learning performance. 12,13 As a result a shift left movement is ongoing to try to identify possible security problems as early as possible in the SDLC, as shown in Figure 2. New project management techniques such as Agile and DevOps encourage fast incremental releases where the developer is also responsible for meeting nonfunctional requirements such as security.…”

“…Traditional error-level markings are usually immediately addressed by the developer, while warning-level markings are more frequently ignored. 13 This is the case because error-level warnings in an IDE typically indicate a problem in the code that will result in a compilation failure. Currently error markings by our tool still allow successful compilation of a project, but several clients have requested the markings to result in compilation failures, equivalent to errors marked by the IDE itself.…”

“…This information is important to ensure the continued use of the tool. 11,13 Developers build trust with analysis tools, and this trust is quickly lost if they do not understand the tool's output. 20 The first description is the short error description, that is, the text that appears when the developer hovers their mouse pointer over the marked code.…”

“…A small secure code example is included as well, since previous research has shown examples are the fastest way for developers to understand the problem. 13 There is no mention of vulnerabilities or exploits in this description until at the end. The reason is that we do not want to disturb the developer during development, as this is one of the main reasons security tools fall out of use.…”

Sensei: Enforcing secure coding guidelines in the integrated development environment

“…[4][5][6]11 Shorter feedback loops also result in better learning performance. 12,13 As a result a shift left movement is ongoing to try to identify possible security problems as early as possible in the SDLC, as shown in Figure 2. New project management techniques such as Agile and DevOps encourage fast incremental releases where the developer is also responsible for meeting nonfunctional requirements such as security.…”

“…Traditional error-level markings are usually immediately addressed by the developer, while warning-level markings are more frequently ignored. 13 This is the case because error-level warnings in an IDE typically indicate a problem in the code that will result in a compilation failure. Currently error markings by our tool still allow successful compilation of a project, but several clients have requested the markings to result in compilation failures, equivalent to errors marked by the IDE itself.…”

“…This information is important to ensure the continued use of the tool. 11,13 Developers build trust with analysis tools, and this trust is quickly lost if they do not understand the tool's output. 20 The first description is the short error description, that is, the text that appears when the developer hovers their mouse pointer over the marked code.…”

“…A small secure code example is included as well, since previous research has shown examples are the fastest way for developers to understand the problem. 13 There is no mention of vulnerabilities or exploits in this description until at the end. The reason is that we do not want to disturb the developer during development, as this is one of the main reasons security tools fall out of use.…”

Sensei: Enforcing secure coding guidelines in the integrated development environment

“…The Open Web Application Security Project [2] identified the top ten most critical application security vulnerabilities: injection flaws, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, cross-site scripting, insecure deserialization, and insufficient logging and monitoring. The most effective way to address software application vulnerabilities is through secure coding practices during the life cycle of a software application [3]. By being aware of the application security vulnerabilities, software developers can design defenses against the vulnerabilities along with software functionality.…”

Choosing the Best-fit Lifecycle Framework while Addressing Functionality and Security Issues

Data Protection Labware for Mobile Security