XSS for the masses: Integrating security in a web programming course using a security scanner

Cybersecurity education is considered an important part of undergraduate computing curricula, but many institutions teach it only in dedicated courses or tracks. This optionality risks students graduating with limited exposure to secure coding practices that are expected in industry. An alternative...

Full description

Saved in:
Bibliographic Details
Main Authors: SHAR, Lwin Khin, POSKITT, Christopher M., SHIM, Kyong Jin, WONG, Li Ying Leonard
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2022
Subjects:
Online Access:https://ink.library.smu.edu.sg/sis_research/7188
https://ink.library.smu.edu.sg/context/sis_research/article/8191/viewcontent/security_integration_iticse22.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-8191
record_format dspace
spelling sg-smu-ink.sis_research-81912023-03-31T02:13:24Z XSS for the masses: Integrating security in a web programming course using a security scanner SHAR, Lwin Khin POSKITT, Christopher M. SHIM, Kyong Jin WONG, Li Ying Leonard Cybersecurity education is considered an important part of undergraduate computing curricula, but many institutions teach it only in dedicated courses or tracks. This optionality risks students graduating with limited exposure to secure coding practices that are expected in industry. An alternative approach is to integrate cybersecurity concepts across non-security courses, so as to expose students to the interplay between security and other sub-areas of computing. In this paper, we report on our experience of applying the security integration approach to an undergraduate web programming course. In particular, we added a practical introduction to secure coding, which highlighted the OWASP Top 10 vulnerabilities by example, and demonstrated how to identify them using out-of-the-box security scanner tools (e.g. ZAP). Furthermore, we incentivised students to utilise these tools in their own course projects by offering bonus marks. To assess the impact of this intervention, we scanned students' project code over the last three years, finding a reduction in the number of vulnerabilities. Finally, in focus groups and a survey, students shared that our intervention helped to raise awareness, but they also highlighted the importance of grading incentives and the need to teach security content earlier. 2022-07-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/7188 info:doi/10.1145/3502718.3524795 https://ink.library.smu.edu.sg/context/sis_research/article/8191/viewcontent/security_integration_iticse22.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Cybersecurity education web development security integration Information Security Software Engineering
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic Cybersecurity education
web development
security integration
Information Security
Software Engineering
spellingShingle Cybersecurity education
web development
security integration
Information Security
Software Engineering
SHAR, Lwin Khin
POSKITT, Christopher M.
SHIM, Kyong Jin
WONG, Li Ying Leonard
XSS for the masses: Integrating security in a web programming course using a security scanner
description Cybersecurity education is considered an important part of undergraduate computing curricula, but many institutions teach it only in dedicated courses or tracks. This optionality risks students graduating with limited exposure to secure coding practices that are expected in industry. An alternative approach is to integrate cybersecurity concepts across non-security courses, so as to expose students to the interplay between security and other sub-areas of computing. In this paper, we report on our experience of applying the security integration approach to an undergraduate web programming course. In particular, we added a practical introduction to secure coding, which highlighted the OWASP Top 10 vulnerabilities by example, and demonstrated how to identify them using out-of-the-box security scanner tools (e.g. ZAP). Furthermore, we incentivised students to utilise these tools in their own course projects by offering bonus marks. To assess the impact of this intervention, we scanned students' project code over the last three years, finding a reduction in the number of vulnerabilities. Finally, in focus groups and a survey, students shared that our intervention helped to raise awareness, but they also highlighted the importance of grading incentives and the need to teach security content earlier.
format text
author SHAR, Lwin Khin
POSKITT, Christopher M.
SHIM, Kyong Jin
WONG, Li Ying Leonard
author_facet SHAR, Lwin Khin
POSKITT, Christopher M.
SHIM, Kyong Jin
WONG, Li Ying Leonard
author_sort SHAR, Lwin Khin
title XSS for the masses: Integrating security in a web programming course using a security scanner
title_short XSS for the masses: Integrating security in a web programming course using a security scanner
title_full XSS for the masses: Integrating security in a web programming course using a security scanner
title_fullStr XSS for the masses: Integrating security in a web programming course using a security scanner
title_full_unstemmed XSS for the masses: Integrating security in a web programming course using a security scanner
title_sort xss for the masses: integrating security in a web programming course using a security scanner
publisher Institutional Knowledge at Singapore Management University
publishDate 2022
url https://ink.library.smu.edu.sg/sis_research/7188
https://ink.library.smu.edu.sg/context/sis_research/article/8191/viewcontent/security_integration_iticse22.pdf
_version_ 1770576254870749184