Understanding security vulnerabilities in student code: A case study in a non-security course
| buir.contributor.author | Yilmaz, Tolga | |
| buir.contributor.author | Ulusoy, Özgür | |
| buir.contributor.orcid | Yilmaz, Tolga|0000-0001-8617-9301 | |
| buir.contributor.orcid | Ulusoy, Özgür|0000-0002-6887-3778 | |
| dc.citation.epage | 111150- 11 | en_US |
| dc.citation.spage | 111150- 1 | en_US |
| dc.citation.volumeNumber | 185 | en_US |
| dc.contributor.author | Yilmaz, Tolga | |
| dc.contributor.author | Ulusoy, Özgür | |
| dc.date.accessioned | 2023-02-14T11:41:55Z | |
| dc.date.available | 2023-02-14T11:41:55Z | |
| dc.date.issued | 2021-12-14 | |
| dc.department | Department of Computer Engineering | en_US |
| dc.description.abstract | Secure coding education is quite important for students to acquire the skills to quickly adapt to the evolving threats towards the software they are expected to create once they graduate. Educators are also more aware of this situation and incorporate teaching security in their respective fields. An effective application of this is only possible by cultivating the teaching and learning perspectives. Understanding the security awareness and practice of students is useful as an initial step to create a baseline for teaching methods and content. In this paper, we first survey to investigate how students approach security and what could motivate them to learn and apply security practices. Then, we analyze the source code for 6 semesters of coding assignments for 2 tasks using a source code vulnerability analysis tool. In our analysis, we report the types of vulnerabilities and various aspects between them while incorporating the effect of student grades. We then explore the lexical and structural features of security in student code using data analysis and machine learning. For the lexical analysis, we build a classifier to extract informative features and for the structural analysis, we utilize Syntax Trees to represent code and perform clustering in terms of structural features where clusters themselves yield different vulnerability levels. | en_US |
| dc.description.provenance | Submitted by Ezgi Uğurlu (ezgi.ugurlu@bilkent.edu.tr) on 2023-02-14T11:41:55Z No. of bitstreams: 1 Understanding_security_vulnerabilities_in_student_code_A_case_study_in_a_non-security_course.pdf: 3955969 bytes, checksum: 4542fd64ada0ad49cf091f36ab622372 (MD5) | en |
| dc.description.provenance | Made available in DSpace on 2023-02-14T11:41:55Z (GMT). No. of bitstreams: 1 Understanding_security_vulnerabilities_in_student_code_A_case_study_in_a_non-security_course.pdf: 3955969 bytes, checksum: 4542fd64ada0ad49cf091f36ab622372 (MD5) Previous issue date: 2021-12-14 | en |
| dc.embargo.release | 2023-12-14 | |
| dc.identifier.doi | 10.1016/j.jss.2021.111150 | en_US |
| dc.identifier.eissn | 1873-1228 | |
| dc.identifier.issn | 0164-1212 | |
| dc.identifier.uri | http://hdl.handle.net/11693/111260 | |
| dc.language.iso | English | en_US |
| dc.publisher | Elsevier Inc. | en_US |
| dc.relation.isversionof | https://doi.org/10.1016/j.jss.2021.111150 | en_US |
| dc.source.title | The Journal of Systems and Software | en_US |
| dc.subject | Secure coding education | en_US |
| dc.subject | Source code analysis | en_US |
| dc.subject | Data mining | en_US |
| dc.subject | Vulnerability analysis | en_US |
| dc.title | Understanding security vulnerabilities in student code: A case study in a non-security course | en_US |
| dc.type | Article | en_US |
Files
Original bundle
1 - 1 of 1
Loading...
- Name:
- Understanding_security_vulnerabilities_in_student_code_A_case_study_in_a_non-security_course.pdf
- Size:
- 3.77 MB
- Format:
- Adobe Portable Document Format
- Description:
License bundle
1 - 1 of 1
No Thumbnail Available
- Name:
- license.txt
- Size:
- 1.69 KB
- Format:
- Item-specific license agreed upon to submission
- Description: