Training for Security: Results from Using a SAT in the Development Pipeline of Web Apps
In a previously published paper, we presented the results of an assessment to understand if Computer Science (CS) bachelor students, enrolled in a Software Technologies for the Web (STW ) course, were equipped to manage security concerns in the development of (e-commerce) web apps. The gathered evidence highlighted that students enrolled in this course in a.y. (academic year) 2021-22 were not equipped to develop secure web apps, although they devised security as a relevant development aspect. We then delineated a training plan to fill this gap. In this experience-report paper, we present the results from the enactment of this plan and the gained experience. In particular, our training plan involved (CS) bachelor students enrolled in the STW course in the a.y. 2022-23 and one of the implemented actions consisted of asking these students (who were different from those enrolled in the a.y. 2021-22) to use in their development pipeline a Static Analysis Tool (SAT ), namely SonarCloud, to detect security concerns. The students were asked to use SonarCloud, but not forced to remove detected security concerns. One of the most important results, deriving from the enactment of our intervention, was that the number of security concerns in the web apps developed in a.y. 2022-23 was significantly less than those developed in a.y. 2021-22. Since software security is nowadays of primary relevance, we must train the next generation of developers to develop secure web apps and let them experience, in university courses, the use of tools to support the development of secure software.
Fri 19 AprDisplayed time zone: Lisbon change
11:00 - 12:30 | Analysis 3Research Track / Demonstrations / Software Engineering Education and Training at Almada Negreiros Chair(s): Dalal Alrajeh Imperial College London | ||
11:00 15mTalk | LibAlchemy: A Two-Layer Persistent Summary Design for Taming Third-Party Libraries in Static Bug-Finding Systems Research Track Rongxin Wu School of Informatics, Xiamen University, Yuxuan He School of Informatics, Xiamen University, Jiafeng Huang School of Informatics, Xiamen University, Chengpeng Wang The Hong Kong University of Science and Technology, Wensheng Tang The Hong Kong University of Science and Technology, Qingkai Shi Nanjing University, Xiao Xiao Ant Group, Charles Zhang The Hong Kong University of Science and Technology Pre-print | ||
11:15 15mTalk | Is unsafe an Achilles' Heel? A Comprehensive Study of Safety Requirements in Unsafe Rust Programming Research Track Mohan Cui Fudan University, Mohan Cui Fudan University, Shuran Sun Fudan University, Hui Xu Fudan University, Yangfan Zhou Fudan University | ||
11:30 15mTalk | Unveiling Hurdles in Software Engineering Education: The Role of Learning Management Systems Software Engineering Education and Training Niklas Meissner University of Stuttgart, Nadine Koch University of Stuttgart, Sandro Speth Institute of Software Engineering, University of Stuttgart, Uwe Breitenbücher Reutlingen University, Steffen Becker University of Stuttgart DOI File Attached | ||
11:45 15mTalk | Training for Security: Results from Using a SAT in the Development Pipeline of Web Apps Software Engineering Education and Training Sabato Nocera Department of Computer Science, University of Salerno, Simone Romano University of Salerno, Rita Francese University of Salerno, Giuseppe Scanniello University of Salerno | ||
12:00 7mTalk | Refinery: Graph Solver as a Service Demonstrations Kristóf Marussy Budapest University of Technology and Economics, Attila Ficsor Budapest University of Technology and Economics, Oszkár Semeráth Budapest University of Technology and Economics, Daniel Varro Linköping University / McGill University DOI Pre-print Media Attached | ||
12:07 7mTalk | (Neo4j)^ Browser: Visualizing Variable-Aware Analysis Results Demonstrations Rafael F. Toledo University of Waterloo, Joanne M. Atlee University of Waterloo, Rui Ming Xiong University of Waterloo, Mingyu Liu University of Waterloo DOI Media Attached | ||