A Multi-Discipline Approach for Enhancing Developer Learning in Software Security

Abstract

Building secure software is challenging. Developers should possess proper security knowledge and skills so that they can resist security attacks and implement security countermeasures effectively. However, the lack of knowledge about security among software developers has become a major problem in software communities. Software developers come in the field from different academic disciplines, and many of them lack formal, college-level software development and security training. Even in the curricula of computer science or engineering, educational programs seem to fail at providing students (future developers) with essential knowledge and skills in secure software development. Without appropriate knowledge to resist security attacks and implement corresponding security countermeasures, developers lose the capability to handle the growing complexity of software development, and the software products become more vulnerable to security risks consequently. To help software developers become aware of the increasing cybersecurity threats, security experts and software practitioners are devoted to offering a large body of security knowledge regarding standards, guidelines, and techniques, which are available in the open literature or on the internet. However, such exponential growth of knowledge resources does not make a considerable contribution to improve the problem of software insecurity. The conventional approaches on security knowledge instruction seem to lose effectiveness in fostering developers’ learning of software security. What is more, the contextual factors within software development organizations, technical and non-technical, are influencing developers’ learning processes toward the achievement of secure software development. The lack of supportive learning environments in software development, along with ineffective teaching approaches for software security, has created difficulties for developers in learning security knowledge. This thesis is centered in the discipline of Information System and draws from crossdisciplinary thinking at the intersections of sociology, education, software engineering and others, to undertake the complex task of identifying how to help enhance developers learning in software security. With the goals of investigating contextual factors that affect developers’ learning of software security and suggesting a learning tool for effective security education and learning, this thesis contributes to the fields of software development and security education. This thesis employs a five cycles of Design Science Research (DSR) methodology to apply existing models and means from the theories of socio-technical system and context-based teaching and learning to suggest a multi-discipline approach that integrates necessary elements for the goal achievement. The contribution of the thesis is twofold: First, this thesis offers a conceptual framework to identifying the complex relationship between technical and social factors, pointing out the limitations and opportunities of security learningin software development. The conceptual framework allows software organizations to think holistically about their strategies so that they can undertake the challenges of secure software development through establishing a supportive security learning environment within the organization. Second, this thesis forges a concrete artifact designed to promote context-based learning of security knowledge: the ontology based contextualized learning system. Through evaluation in both pedagogical and software development environments, it is proved to contribute a solution to the problem domain. While these results are positive, the innovative context-based artifact benefits not only the domain of software security, but also other educational fields, such as information security and computer security.