Can the security mindset make students better testers?

Sara Hooshangi, Richard Weiss, Justin Cappos

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Writing secure code requires a programmer to think both as a defender and an attacker. One can draw a parallel between this model of thinking and techniques used in test-driven development, where students learn by thinking about how to effectively test their code and anticipate possible bugs. In this study, we analyzed the quality of both attack and defense code that students wrote for an assignment given in an introductory security class of 75 (both graduate and senior undergraduate levels) at NYU. We made several observations regarding students' behaviors and the quality of both their defensive and offensive code. We saw that student defensive programs (i.e., assignments) are highly unique and that their attack programs (i.e., test cases) are also relatively unique. In addition, we examined how student behaviors in writing defense programs correlated with their attack program's effectiveness. We found evidence that students who learn to write good defensive programs can write effective attack programs, but the converse is not true. While further exploration of causality is needed, our results indicate that a greater pedagogical emphasis on defensive security may benefit students more than one that emphasizes offense.

    Original languageEnglish (US)
    Title of host publicationSIGCSE 2015 - Proceedings of the 46th ACM Technical Symposium on Computer Science Education
    EditorsAdrienne Decker, Kurt Eiselt, Jodi Tims, Carl Alphonce
    PublisherAssociation for Computing Machinery
    Pages404-409
    Number of pages6
    ISBN (Electronic)9781450329668
    DOIs
    StatePublished - Feb 24 2015
    Event46th SIGCSE Technical Symposium on Computer Science Education, SIGCSE 2015 - Kansas City, United States
    Duration: Mar 4 2015Mar 7 2015

    Publication series

    NameSIGCSE 2015 - Proceedings of the 46th ACM Technical Symposium on Computer Science Education

    Other

    Other46th SIGCSE Technical Symposium on Computer Science Education, SIGCSE 2015
    Country/TerritoryUnited States
    CityKansas City
    Period3/4/153/7/15

    Keywords

    • Access control
    • Python
    • Security
    • Testing

    ASJC Scopus subject areas

    • Education
    • Computer Science (miscellaneous)

    Fingerprint

    Dive into the research topics of 'Can the security mindset make students better testers?'. Together they form a unique fingerprint.

    Cite this