A Multi-Discipline Approach for Enhancing Developer Learning in Software Security
Abstract
Building secure software is challenging. Developers should possess proper security knowledge and skills so that they can resist security attacks and implement security countermeasures effectively. However, the lack of knowledge about security among software developers has become a major problem in software communities. Software developers come in the field from different academic disciplines, and many of them lack formal, college-level software development and security training. Even in the curricula of computer science or engineering, educational programs seem to fail at providing students (future developers) with essential knowledge and skills in secure software development. Without appropriate knowledge to resist security attacks and implement corresponding security countermeasures, developers lose the capability to handle the growing complexity of software development, and the software products become more vulnerable to security risks consequently.
To help software developers become aware of the increasing cybersecurity threats, security experts and software practitioners are devoted to offering a large body of security knowledge regarding standards, guidelines, and techniques, which are available in the open literature or on the internet. However, such exponential growth of knowledge resources does not make a considerable contribution to improve the problem of software insecurity. The conventional approaches on security knowledge instruction seem to lose effectiveness in fostering developers’ learning of software security. What is more, the contextual factors within software development organizations, technical and non-technical, are influencing developers’ learning processes toward the achievement of secure software development. The lack of supportive learning environments in software development, along with ineffective teaching approaches for software security, has created difficulties for developers in learning security knowledge.
This thesis is centered in the discipline of Information System and draws from crossdisciplinary thinking at the intersections of sociology, education, software engineering and others, to undertake the complex task of identifying how to help enhance developers learning in software security. With the goals of investigating contextual factors that affect developers’ learning of software security and suggesting a learning tool for effective security education and learning, this thesis contributes to the fields of software development and security education. This thesis employs a five cycles of Design Science Research (DSR) methodology to apply existing models and means from the theories of socio-technical system and context-based teaching and learning to suggest a multi-discipline approach that integrates necessary elements for the goal achievement. The contribution of the thesis is twofold: First, this thesis offers a conceptual framework to identifying the complex relationship between technical and social factors, pointing out the limitations and opportunities of security learningin software development. The conceptual framework allows software organizations to think holistically about their strategies so that they can undertake the challenges of secure software development through establishing a supportive security learning environment within the organization. Second, this thesis forges a concrete artifact designed to promote context-based learning of security knowledge: the ontology based contextualized learning system. Through evaluation in both pedagogical and software development environments, it is proved to contribute a solution to the problem domain. While these results are positive, the innovative context-based artifact benefits not only the domain of software security, but also other educational fields, such as information security and computer security.
Has parts
Wen, Shao-Fang. Software Security in Open Source Development: A Systematic Literature Review. I: Proceedings of the 21st Conference of Open Innovations Association FRUCT. : Fruct oy 2017 ISBN 978-952-68653-2-4. s. 364-373 https://doi.org/10.23919/FRUCT.2017.8250205 © 2017 IEEE.Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes,creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.Wen, Shao-Fang. "Learning secure programming in open source software communities: a socio-technical view." © ACM, 2018. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in Proceedings of the 6th International Conference on Information and Education Technology, ACM 2018, pp. 25-32. https://doi.org/10.1145/3178158.3178202
Wen, Shao-Fang. "An Empirical Study on Security Knowledge Sharing and Learning in Open Source Software Communities." Computers, 2018, volume 7, issue 4. https://doi.org/10.3390/computers7040049 This is an open access article distributed under the Creative Commons Attribution License (CC BY 4.0)
Wen, Shao-Fang and Katt, Basel. “Towards a Context-Based Approach for Software Security Learning.” Journal of Applied Security Research. 2019, volume 14, issue 3, pp. 288-307. https://doi.org/10.1080/19361610.2019.1585704
Wen, Shao-Fang and Katt, Basel. “Managing Software Security Knowledge in Context: An Ontology-Based Approach.” Information, 2018, volume 10, issue 6. https://doi.org/10.3390/info10060216 This is an open access article distributed under the Creative Commons Attribution License (CC BY 4.0)
Wen, Shao-Fang and Katt, Basel. “Development of Ontology-Based Software Security Learning System with Contextualized Learning Approaches.” Journal of Advances in Information Technology. 2019, volume 10, no. 3, pp 81-90 https://doi.org/10.12720/jait.10.3.81-90 (CC BY-NC-ND 4.0)
Wen, Shao-Fang and Katt, Basel. “Preliminary Evaluation of an Ontology-Based Contextualized Learning System for Software Security.” © ACM, 2019. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published In Proceedings of the 23rd International Conference on Evaluation and Assessment in Software Engineering. ACM, 2019. https://doi.org/10.1145/3319008.3319017
Wen, Shao-Fang and Katt, Basel. “Learning Software Security in Context: An Evaluation in Open Source Software Development Environment.” © ACM, 2019. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in In Proceedings of the 14th International Conference on Availability, Reliability, and Security. ACM, 2019. https://doi.org/10.1145/3339252.3340336
Wen, Shao-Fang, Mazaher Kianpour, and Stewart Kowalski. “An Empirical Study of Security Culture in Open Source Software Communities.” 2019 IEEE/ACM © ACM, 2019. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in International Conference on Advances in Social Networks Analysis and Mining (ASONAM). IEEE, 2019, pp. 863-870. https://doi.org/10.1145/3341161.3343520