Secure Software Development Education through the IDE
Heather Richter Lipford and Bill Chu
Department of Software and Information Systems
SoTl Project Report
{Heather.Lipford, billchu}@uncc.edu
Abstract
Security vulnerabilities resulting from software flaws affect all organizations with heavy reliance on
information technology. Current curriculum emphasis on traditional information security issues does
not address this root cause of many of the information security challenges we face today. There is a
large body of knowledge on techniques for designing, implementing, and testing software that is more
secure and robust than existing software. We believe that in order to effectively teach these secure
programming techniques, they need to be diffused across computing curricula. Diffusing secure
programming education across a computing curriculum presents several challenges: many CS faculty
have never been trained in basic secure software development techniques, secure techniques are not
utilized in many programming textbooks, and there may not be enough time in existing courses to
cover secure software design issues in detail.We propose a new approach of integrating educational
support into an IDE to overcome some of these challenges and provides effective training throughout
a student’s education. Our approach creates a new learning tool that complements other secure
programming curriculum efforts by teaching and providing continuous reinforcement of practices
throughout programming tasks.
1. Introduction
Software flaws are at the root cause of many of today’s information security vulnerabilities. For
example, seventy-five percent of Top 20 Security Risks identified by SANS can be mitigated by code
patches [11]. Web applications, because of their wide use, are particularly vulnerable to well known
and easily implemented attacks. Computer Science, Software Engineering, and Information
Technology educational programs train students in programming and application development. Yet,
relatively few programs offer any education in secure software development – programming
techniques that reduce the security bugs and vulnerabilities found in software. As a result, the
programmers that we educate continue to inadvertently introduce security bugs, and attacks continue
to cost organizations millions of dollars a year. For this reason, many federal agencies and businesses
have identified a critical need for secure software development training as part of computing
education, and organizations such as the SANS Institute have started to develop professional
certifications in secure software development.
There is a large body of knowledge on techniques for designing, implementing, and testing software
that is more secure and robust than existing software [5]. Both government and industry efforts have
been recently launched to codify and organize such knowledge. For example, the Department of
Homeland Security (DHS) has developed a Common Body of Knowledge (CBK) for software
assurance [4]. Recently Safcode.org, a consortium of prominent technology companies, was formed
to promote software assurance with two white papers outlining best industry practices [9][10]. While
these efforts provide valuable resources, they do not provide sufficient educational direction and
materials for university efforts. There are many challenges that universities continue to face in
developing secure software education, including a lack of good exercises, the challenge of keeping up
with new attack vectors, the lack of educational opportunities for faculty, and the need to train more
students to adopt a “hacking” mentality in analyzing security [2]. Our goal in this project is to research
methods of providing enhanced education in secure programming to our students, and become a
resource for such methods for other universities.
2. Background
There are two approaches to teaching secure programming practices as part of a computing
curriculum. First, courses dedicated to secure software development can be offered to provide in-
depth instruction. This approach provides students with in-depth experience in analyzing software
vulnerabilities and methods for preventing or repairing them. We believe that such courses are
important to train security professionals in software assurance, and the Department of Software and
Information Systems at UNC Charlotte offers such a course. However, there are disadvantages to only
providing concentrated courses: such dedicated security courses may be elective, and thus reach only
a subset of computing students; there may not be room in the degree program for students to take the
course; and students may not take the course until they are juniors or seniors.
As students learn to program, the training and examples they learn from will heavily impact the
practices they use in their own code [6]. Many programming textbooks have little mention of security,
and may even contain vulnerabilities. Thus, if students are not exposed to secure programming
practices until later in their education, if at all, they may learn bad habits without being aware of the
consequences. Thus, while we believe that concentrated courses are still important for providing indepth training, secure programming education also needs to be diffused across computing curriculum,
taught alongside software development in general.
Yet this approach is also not without challenges. The majority of computing faculty are not trained in
secure coding, and thus unlikely to be aware of and teach these topics. Secure techniques are not
utilized in many programming textbooks. In addition, a Computer Science or Information Technology
degree program already has a large body of required topics to be covered in a standard curriculum.
There may not be time or resources in current programming courses to add additional secure
programming topics without reducing instruction on some other fundamental topic.
One of our goals is to find methods to help faculty incorporate secure programming concepts and
techniques throughout the computing curriculum. Several other researchers are also working towards
this goal. Matt Bishop conceived of a secure programming clinic [1], based on the use of writing clinics
in other disciplines. The clinic would assist students who have some programming knowledge in
improving their programming practices. The clinics could be run by graduate students and could either
be independent or tied to particular courses and assignments. Kara Nance describes how to
incorporate security concerns into the assignments in CS1 courses [8]. Faculty at Towson university
have focused on integrating secure programming modules into labs for programming-based courses,
such CS0 and CS1, which they call security injections. [12]. These injections consist of general
vulnerability descriptions and problems, such as integer overflow, along with a security checklist for
students to use to evaluate their code [13]. These lab modules have been shown to increase the
awareness of security principles of students [14].
3. Approach
Our original goal was to examine more traditional methods for disseminating secure software
development knowledge to faculty and students across the curriculum. We examined popular
textbooks and exercises, looking to enhance them with security information, similar to the Towson
efforts. Yet in doing so, we realized two major challenges. We studied the security implications of a
structured vs. standard development framework, and one of the major lessons is that programmers
are likely to utilize standard defaults and not think about security during programming, whatever their
security training [6]. Another of the major challenges would still be to deliver secure programming
course content to faculty. Faculty, few of whom have training in secure programming, would have to
understand the need to teach such skills and seek out additional exercises and course content, adding
to sometimes already overloaded classes.
Based on these lessons, we began to explore a radically new idea – to deliver secure programming
knowledge and practical skills while students are programming, outside of the lecture. Integrated
Development Environments (IDEs), such as IBM’s Eclipse or Microsoft’s Visual Studio, have greatly
improved software productivity by alleviating developers’ burdens of dealing with syntax errors and
navigating the code structure. We began to formulate a proposal to investigate whether promoting and
teaching secure programming practices can be accomplished within an IDE.
Our approach is based on the following considerations:
1) Many common security vulnerabilities reside in code that can be fixed by adding or modifying
just a few lines of code locally. For example, a few lines of input validation code can prevent SQL
injection vulnerabilities and a few lines of output encoding can prevent cross-site scripting.
2) Developers who write the code have the best understanding of the program while they are
developing it. It will be easiest to write secure code during program construction, rather than
patching or debugging later in response to detected vulnerabilities. Thus, rather than learning
abstract examples in lectures, students could learn good practices in the context of their existing
work.
3) We wish to reduce cognitive burden on the student by utilizing visual cues to remind them of
potential vulnerabilities, and interactive interfaces to provide assistance in performing the
programming practices to prevent a vulnerability. This will allow students to focus primarily on the
programming skills they are learning, reminding them of the security concerns only when relevant.
This approach would involve developing a tool to run in the IDE, to provide warnings to students as
they are programming their assignments about potential security vulnerabilities, and to help students
learn about those warnings and mitigate the vulnerability. Such a tool would provide several potential
advantages:

The tool can support any level of student. The plug-in will only detect potential vulnerabilities
in the code they are working on, providing only information that is relevant to them.

The tool can provide continuous support for all of a student’s code, continuing to reinforce
good programming practices even outside of structured coursework.

The tool can track student’s reactions to security warnings, and make such information
available to students to track the security issues in their programs, and for instructors for
evaluating the programming assignment.
4. Status and Conclusion
The SOTL project seeded our exploration into how to integrate secure programming education into
computing courses. As a result of this project, we proposed a new idea for integrating secure
programming education into the IDE in order to infuse the training throughout a student’s programming
education. We prepared a proposal to the National Science Foundation program for Transforming
Undergraduate Education in STEM. The proposal was submitted in 2010, and subsequently funded in
2011 [7]. As a result, we have received funding to fully implement the tool we proposed, called ASIDE,
and evaluate its use on programming courses both here and at other universities. Our results will be
disseminated to computing educational communities, and the tool eventually released for broad scale
usage. The tool has already been utilized by 2 sets of students in our evaluations, and will be released
to an advanced programming class this fall.
Our approach investigates a new strategy for learning good programming practices to help produce
computing graduates with important secure programming skills. The tool we are creating can promote
these practices for any level of course and software complexity, potentially impacting any student
learning to develop software. The tool can be easily utilized by faculty without additional curriculum
changes or security expertise. Our approach complements curriculum development in secure
programming by providing a tool for reinforcing and assisting with learned skills. The assessments will
provide measurements of how students are various levels use and learn from the tool. If successful,
educators can directly use our tool for their courses, or utilize the approach to focus on additional
secure programming practices and additional programming languages.
References
[1]
Bishop, M., and B. J. Orvis. “A Clinic to Teach Good Programming Practices” in Proceedings of
the 10th Colloquium for Information Systems Security Education, June 2006.
[2]
Chu, B., Stranathan, W., Xu, H., and Xiong, S. “Teaching Secure Web Application
Development” in Faculty Workshop on Secure Software Development, Orlando, FL, April 2008.
[3]
Chu, B., Stranathan, W., Cody, J., Peterson, J., Wenner, A. and Yu, H. “Teaching Secure
Software Development with Vulnerability Assessment” in Proceedings of the 13th Colloquium
for Information Systems Security Education, June 2009.
[4]
Department of Homeland Security. “Software Assurance: A Curriculum Guide to the Common
Body of Knowledge to Produce, Acquire, and Sustain Secure Software”, 2007.
[5]
Graff, M. and van Wyck, K. Secure Coding: Principles and Practices, O’Reilly, Sebastopol, CA,
2003.
[6]
Lipford, H.R., Xie, J., Stranathan, W., Oakley, D., and Chu, B. “The Impact of a Structured
Application Framework on Web Application Security.” In the Proceedings of the Colloquium for
Information Systems Security Education (CISSE), June 2010.
[7]
Lipford, H.R. (PI), Bill Chu (Co-PI). NSF-DUE #1044745. Collaborative Research: Supporting
Secure Programming Education in the IDE. September 2011–February 2014, $183,589.
[8]
Nance, K. “Teach Them When They Aren’t Looking: Introducing Security in CS1” IEEE Security
and Privacy, vol 7, issue 5. pp 53-55. September 2009.
[9]
Safecode.org “Software Assurance: an Overview of Current Industry Best Practices”, Software
Assurance Forum for Excellence in Code, www.safecode.org, Feb. 2008.
[10]
Safecode.org “Fundamental Practices for Secure Software Development”, Software Assurance
Forum for Excellence in Code, www.safecode.org, Feb. 2008.
[11]
SANS Institute “SANS To-20 2007 Security Risks (2007 Annual Update)” SANS Institute,
www.sans.org/top20, Nov. 2007.
[12]
Taylor, B. and Azadegan, S. “Threading Secure Coding Principles and Risk Analysis into the
Undergraduate Computer Science and Information Systems Curriculum”, In the Proceedings of
Information Security Curriculum Development Conference. Kennesaw, GA, 2006.
[13]
Taylor, B. and Azadegan, S. “Using Security Checklists and Scorecards in CS Curriculum,” In
the Proceedings of the National Colloquium for Information Systems Security Education,
Boston, MA, 2008.
[14]
Taylor, B. and Azadegan, S., “Moving beyond security tracks: integrating security in cs0 and
cs1,” Proceedings of the 39th SIGCSE technical symposium on Computer science education,
2008, pp. 320-324.