Design of Secure Coding Challenges for Cybersecurity Education in the Industry
This work aims to improve the secure coding awareness and skills of software developers in the industry, an incremental step in cybersecurity education.
This paper addresses the problem of improving software developers' ability to write secure code by investigating suitable challenge types for cybersecurity education in an industrial context. The authors propose six challenge types and a structure for Capture-the-Flag (CTF) challenges, including how to incorporate hints and penalties, with a new class of challenges based on code entry and interaction with an automated coach emerging from their evaluation.
According to a recent survey with more than 4000 software developers, less than half of developers can spot security holes. As a result, software products present a low-security quality expressed by vulnerabilities that can be exploited by cyber-criminals. This lack of quality and security is particularly dangerous if the software which contains the vulnerabilities is deployed in critical infrastructures. Serious games, and in particular, Capture-the-Flag(CTF) events, have shown promising results in improving secure coding awareness of software developers in the industry. The challenges in the CTF event, to be useful, must be adequately designed to address the target group. This paper presents novel contributions by investigating which challenge types are adequate to improve software developers' ability to write secure code in an industrial context. We propose 1) six challenge types usable in the industry context, and 2) a structure for the CTF challenges. Our investigation also presents results on 3) how to include hints and penalties into the cyber-security challenges. We evaluated our work through a survey with security experts. While our results show that "traditional" challenge types seem to be adequate, they also reveal a new class of challenges based on code entry and interaction with an automated coach.