Can the security mindset make students better testers?

Sara Hooshangi, Richard Weiss, Justin Cappos

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Writing secure code requires a programmer to think both as a defender and an attacker. One can draw a parallel between this model of thinking and techniques used in test-driven development, where students learn by thinking about how to effectively test their code and anticipate possible bugs. In this study, we analyzed the quality of both attack and defense code that students wrote for an assignment given in an introductory security class of 75 (both graduate and senior undergraduate levels) at NYU. We made several observations regarding students' behaviors and the quality of both their defensive and offensive code. We saw that student defensive programs (i.e., assignments) are highly unique and that their attack programs (i.e., test cases) are also relatively unique. In addition, we examined how student behaviors in writing defense programs correlated with their attack program's effectiveness. We found evidence that students who learn to write good defensive programs can write effective attack programs, but the converse is not true. While further exploration of causality is needed, our results indicate that a greater pedagogical emphasis on defensive security may benefit students more than one that emphasizes offense.

    Original languageEnglish (US)
    Title of host publicationSIGCSE 2015 - Proceedings of the 46th ACM Technical Symposium on Computer Science Education
    PublisherAssociation for Computing Machinery, Inc
    Pages404-409
    Number of pages6
    ISBN (Print)9781450329668
    DOIs
    StatePublished - Feb 24 2015
    Event46th SIGCSE Technical Symposium on Computer Science Education, SIGCSE 2015 - Kansas City, United States
    Duration: Mar 4 2015Mar 7 2015

    Other

    Other46th SIGCSE Technical Symposium on Computer Science Education, SIGCSE 2015
    CountryUnited States
    CityKansas City
    Period3/4/153/7/15

    Fingerprint

    Students
    student
    causality
    graduate
    offense
    evidence

    Keywords

    • Access control
    • Python
    • Security
    • Testing

    ASJC Scopus subject areas

    • Education
    • Computer Science (miscellaneous)

    Cite this

    Hooshangi, S., Weiss, R., & Cappos, J. (2015). Can the security mindset make students better testers? In SIGCSE 2015 - Proceedings of the 46th ACM Technical Symposium on Computer Science Education (pp. 404-409). Association for Computing Machinery, Inc. https://doi.org/10.1145/2676723.2677268

    Can the security mindset make students better testers? / Hooshangi, Sara; Weiss, Richard; Cappos, Justin.

    SIGCSE 2015 - Proceedings of the 46th ACM Technical Symposium on Computer Science Education. Association for Computing Machinery, Inc, 2015. p. 404-409.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Hooshangi, S, Weiss, R & Cappos, J 2015, Can the security mindset make students better testers? in SIGCSE 2015 - Proceedings of the 46th ACM Technical Symposium on Computer Science Education. Association for Computing Machinery, Inc, pp. 404-409, 46th SIGCSE Technical Symposium on Computer Science Education, SIGCSE 2015, Kansas City, United States, 3/4/15. https://doi.org/10.1145/2676723.2677268
    Hooshangi S, Weiss R, Cappos J. Can the security mindset make students better testers? In SIGCSE 2015 - Proceedings of the 46th ACM Technical Symposium on Computer Science Education. Association for Computing Machinery, Inc. 2015. p. 404-409 https://doi.org/10.1145/2676723.2677268
    Hooshangi, Sara ; Weiss, Richard ; Cappos, Justin. / Can the security mindset make students better testers?. SIGCSE 2015 - Proceedings of the 46th ACM Technical Symposium on Computer Science Education. Association for Computing Machinery, Inc, 2015. pp. 404-409
    @inproceedings{1c9211321d404303950a73639eeeac00,
    title = "Can the security mindset make students better testers?",
    abstract = "Writing secure code requires a programmer to think both as a defender and an attacker. One can draw a parallel between this model of thinking and techniques used in test-driven development, where students learn by thinking about how to effectively test their code and anticipate possible bugs. In this study, we analyzed the quality of both attack and defense code that students wrote for an assignment given in an introductory security class of 75 (both graduate and senior undergraduate levels) at NYU. We made several observations regarding students' behaviors and the quality of both their defensive and offensive code. We saw that student defensive programs (i.e., assignments) are highly unique and that their attack programs (i.e., test cases) are also relatively unique. In addition, we examined how student behaviors in writing defense programs correlated with their attack program's effectiveness. We found evidence that students who learn to write good defensive programs can write effective attack programs, but the converse is not true. While further exploration of causality is needed, our results indicate that a greater pedagogical emphasis on defensive security may benefit students more than one that emphasizes offense.",
    keywords = "Access control, Python, Security, Testing",
    author = "Sara Hooshangi and Richard Weiss and Justin Cappos",
    year = "2015",
    month = "2",
    day = "24",
    doi = "10.1145/2676723.2677268",
    language = "English (US)",
    isbn = "9781450329668",
    pages = "404--409",
    booktitle = "SIGCSE 2015 - Proceedings of the 46th ACM Technical Symposium on Computer Science Education",
    publisher = "Association for Computing Machinery, Inc",

    }

    TY - GEN

    T1 - Can the security mindset make students better testers?

    AU - Hooshangi, Sara

    AU - Weiss, Richard

    AU - Cappos, Justin

    PY - 2015/2/24

    Y1 - 2015/2/24

    N2 - Writing secure code requires a programmer to think both as a defender and an attacker. One can draw a parallel between this model of thinking and techniques used in test-driven development, where students learn by thinking about how to effectively test their code and anticipate possible bugs. In this study, we analyzed the quality of both attack and defense code that students wrote for an assignment given in an introductory security class of 75 (both graduate and senior undergraduate levels) at NYU. We made several observations regarding students' behaviors and the quality of both their defensive and offensive code. We saw that student defensive programs (i.e., assignments) are highly unique and that their attack programs (i.e., test cases) are also relatively unique. In addition, we examined how student behaviors in writing defense programs correlated with their attack program's effectiveness. We found evidence that students who learn to write good defensive programs can write effective attack programs, but the converse is not true. While further exploration of causality is needed, our results indicate that a greater pedagogical emphasis on defensive security may benefit students more than one that emphasizes offense.

    AB - Writing secure code requires a programmer to think both as a defender and an attacker. One can draw a parallel between this model of thinking and techniques used in test-driven development, where students learn by thinking about how to effectively test their code and anticipate possible bugs. In this study, we analyzed the quality of both attack and defense code that students wrote for an assignment given in an introductory security class of 75 (both graduate and senior undergraduate levels) at NYU. We made several observations regarding students' behaviors and the quality of both their defensive and offensive code. We saw that student defensive programs (i.e., assignments) are highly unique and that their attack programs (i.e., test cases) are also relatively unique. In addition, we examined how student behaviors in writing defense programs correlated with their attack program's effectiveness. We found evidence that students who learn to write good defensive programs can write effective attack programs, but the converse is not true. While further exploration of causality is needed, our results indicate that a greater pedagogical emphasis on defensive security may benefit students more than one that emphasizes offense.

    KW - Access control

    KW - Python

    KW - Security

    KW - Testing

    UR - http://www.scopus.com/inward/record.url?scp=84942474179&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=84942474179&partnerID=8YFLogxK

    U2 - 10.1145/2676723.2677268

    DO - 10.1145/2676723.2677268

    M3 - Conference contribution

    SN - 9781450329668

    SP - 404

    EP - 409

    BT - SIGCSE 2015 - Proceedings of the 46th ACM Technical Symposium on Computer Science Education

    PB - Association for Computing Machinery, Inc

    ER -