Understanding security vulnerabilities in student code: A case study in a non-security course

Limited Access
This item is unavailable until:
2023-12-14
Date
2021-12-14
Editor(s)
Advisor
Supervisor
Co-Advisor
Co-Supervisor
Instructor
Source Title
The Journal of Systems and Software
Print ISSN
0164-1212
Electronic ISSN
1873-1228
Publisher
Elsevier Inc.
Volume
185
Issue
Pages
111150- 1 - 111150- 11
Language
English
Journal Title
Journal ISSN
Volume Title
Series
Abstract

Secure coding education is quite important for students to acquire the skills to quickly adapt to the evolving threats towards the software they are expected to create once they graduate. Educators are also more aware of this situation and incorporate teaching security in their respective fields. An effective application of this is only possible by cultivating the teaching and learning perspectives. Understanding the security awareness and practice of students is useful as an initial step to create a baseline for teaching methods and content. In this paper, we first survey to investigate how students approach security and what could motivate them to learn and apply security practices. Then, we analyze the source code for 6 semesters of coding assignments for 2 tasks using a source code vulnerability analysis tool. In our analysis, we report the types of vulnerabilities and various aspects between them while incorporating the effect of student grades. We then explore the lexical and structural features of security in student code using data analysis and machine learning. For the lexical analysis, we build a classifier to extract informative features and for the structural analysis, we utilize Syntax Trees to represent code and perform clustering in terms of structural features where clusters themselves yield different vulnerability levels.

Course
Other identifiers
Book Title
Citation
Published Version (Please cite this version)