hACME game - A Tool for Teaching Security
MetadataVis full innførsel
The number of vulnerabilities in computer software is rapidly increasing. Often are these vulnerabilities caused by known and common bugs or design flaws. hACME game is an online game targeted at teaching software developers awareness on the most common vulnerability types in a web environment. This is accomplished by presenting different hacking challenges for the players to solve. The task of this master thesis was to extend and enrich the first version of hACME game, lifting it to an established tool for teaching software security. Based on requirements and design derived in a preliminary project, the game was extended to contain more challenges, improved game-based learning aspects, improved motivational factors and extended data collection mechanisms. Since the game is heavily exposed for various types of attacks, best practice security for the game application itself was needed, ensured by a thorough security evaluation. This resulted in a game with 42 challenges, with no discovered critical security issues. An empirical test with students was performed with the intention of gathering data used for an evaluation of the game. 85 students participated in the test, resulting in 6~738 hacking attempts. The test showed that players’ ability to solve the various challenges did increase through the game. Hence, it is concluded that players do learn from the game. The empirical student test did also reveal issues for game improvements, including challenge improvements and optimization of the increasing difficulty. Similar games exist, but these tend to focus on measuring the player’s skills rather than teaching players new knowledge. Adopting techniques from game-based learning discipline; hACME game serves as a unique and an important contributor on the software security domain. hACME game is not only suited for teaching future actors in the software industry awareness of the common pitfalls, but indeed anyone who will gain or refresh web application security knowledge.