Overview
ESIDE is a proof-of-concept Eclipse plug-in for Java, which integrates secure programming support and education into the IDE. ESIDE works in the background and provides instructional intervention the moment students write insecure code. In this way, ESIDE enhances the students' learning experience as they can directly apply the secure programming lessons they learned in the classroom to their coding practices.
​
ESIDE works by scanning a selected project for code patterns that match predefined heuristic rules of security vulnerabilities. Though there have been many code-related vulnerabilities in Java, currently ESIDE includes only a few of the most common, namely vulnerabilities caused by the lack of input validation, output encoding, and dynamic SQL statements. If left unresolved, these code patterns can lead to real and common security vulnerabilities such as cross-site scripting (XSS) and SQL Injection.
​
I have developed several components of ESIDE, especially, the frontend security interventions. I have conducted multiple studies to investigate how effectively different secure programming education approaches such as tools like ESIDE can be integrated into the computer science curriculum and challenges behind that.
Study 1: Evaluating Two Methods for Integrating Secure Programming Education
Role: Ph.D. Leader | Skills: Lab Study, Qualitative Data Analysis | Collaborators: Stacy Watson, Bill Chu, Heather Richter Lipford
Our study aimed to examine the strengths and weaknesses of tool and in-person approaches to teaching secure programming techniques to students in a programming course. We compared ESIDE against a similar approach utilizing person-to-person feedback on security for student assignments, referred to as a security clinic. We examined the potential of both of the approaches to influence the student’s secure coding practices and security awareness, with the goal of improving the design of our tool to be more engaging and effective.The study goals are to examine the following questions:
RQ1: How do students interact with ESIDE versus the TA to learn about security implications of their code?
RQ2: How does ESIDE help students advance their secure programming knowledge versus what they learn from the TA?
RQ3: What are the questions frequently asked by the students? Can ESIDE provide the answers to those questions?
RQ4: How do students incorporate what they learned from ESIDEversus a TA into their assignments?
Research Method: Lab study, Controlled Observation
Participants: 36 students recruited from Network-based Application Development course, University of North Carolina at Charlotte
Qualitative Data Analysis Method: Open Coding
We found two challenges in incorporating secure programming methods in the curriculum:
​
Incentivizing Students: How to incentivize and influence students to learn and use secure programming techniques where the primary need is to learn and practice the course content?
​
Timing: Students ignore secure coding if introduced earlier in the semester before they sufficiently understand how to construct the program. At the end of the semester, students did not have enough time to work on the lessons they learned from the study and were not confident enough to add the security fixes without breaking the functionality of their project. What is the sweet spot for introducing secure programming concepts when they make the most sense and then reinforcing them within assignments?
​
Study 2: Integrating Secure Programming Education Method in Classroom: Case Study
Role: Ph.D. Leader | Skills: Case Study, Qualitative Data Analysis | Collaborators: Stacy Watson, Bill Chu, Heather Richter Lipford
In this study, we have deployed ESIDE in grad level NBAD course at UNCC in Fall 2017 and Spring 2018, and WADD course at Winthrop University in Spring 2018. We integrated TA based approach in undergrad level NBAD course at UNCC in Fall 2017 and Spring 2018. We have shared the secure programming resources with all the instructors; however, it was up to the instructors whether, when and how to use those materials. The instructors reflected on the approach they had taken to incorporate secure programming in their class in a semi-structured interview at the end of the semester. Students' interactions with the ESIDE and TA were logged throughout the semester.
In our study, we found some concrete factors in addition to timing and incentives that may guide students towards secure coding practices such as, exposure to security contents, instructors’ motivation/guidance and teamwork. We are preparing manuscript for a journal publication on the results of the study.
​
Research Method: Case Study, Interview
Qualitative Data Analysis Method: Open Coding
Publications
-
Madiha Tabassum, Stacey Watson, Bill Chu and Heather Richter Lipford. "Evaluating Two Methods for Integrating Secure Programming Education", In the proceedings of the ACM SIGCSE Technical Symposium on Computer Science Education, February 2018.
-
Madiha Tabassum, Stacey Watson, Heather Richter Lipford, "Comparing Educational Approaches to Secure Programming: Tool vs. TA", in the proceeding of the 3rd Workshop on Security Information Workers (WSIW 2017), Symposium on Usable Privacy and Security, July 2017.