Sie sind auf Seite 1von 1

June 30th, 2016

SIDE:
A Web-based Integrated Development Environment (IDE) for Teaching PHP
Secure Coding to Novice Programmers

Researchers: Abstract
Gerard Miller, Penelope DeFreitas, The problem of secure coding has received much attention over the last decade from many stakeholders of the

Aurell Liddell
Software Development Life Cycle (SDLC). Though the problem is of grave concern, many universities do not offer a

dedicated security track or any secure coding courses. Some universities offer security courses but see low enroll-

ment since these courses are not mandatory for all Computer Science students. When this occurs the poor coding

practices learn are then taken into industry hence being one of the reasons for software vulnerabilities in enterprise

applications.

We sought to discover the awareness of secure coding concepts among the University of Guyana Computer

Science faculty and students. Also, we built a web-based Integrated Development Environment (IDE) that uses static

analysis to detect simple vulnerabilities in PHP web applications. We targeted PHP web applications since they are

very pervasive. The study was centered on final year Bachelor of Science in Computer Science students since they

were formally introduced to PHP in the previous semester.

We report on the findings of the survey and simple evaluation of the tool we developed.

Keywords: Static Analysis, Secure Coding, Web-based IDE, Security Education, Integrated Development Environ-
ment.

The Concept Results


The initial survey revealed that the major of final year Computer Science students want-
Static analysis is a very popular technique for detecting vulnerabilities in PHP web applications as seen in
research done by Dahse (2011), Dewhurst (2012) and Xie et al. (2014). RIPS, the application developed by Dahse ed to pursue career in Software Development. Also, students were unable to correctly detect a vul-
(2011), is not pedagogical in nature. Rather it is meant for real world web application security auditing. ASIDE de- nerability from a snippet of PHP code. This lead to a poor pre-test score. The participation of stu-
veloped by Xie et al. (2014) was the most similar tool when compared to ours in that static analysis was incorpo- dents in the usage of the SIDE tool was significantly less than those who participated in the survey.
rated to detect vulnerabilities that would assist students in developing secure Java-based web applications. Many studies similar to this were able to determine the shortcoming among CS Faculty that prevent-
According to Gajraj et al., (2011) providing examples for students to learn from has been a popular approach to ed secure coding from being incorporated in the CS curriculum. We were unable to do so.
teaching computer programming. They developed a tool called CSmart which was used to teach computer pro-
gramming in the C Programming language by example to novice programmers. This Learning Integrated Environ-
ment facilitated guided instruction which allowed a user to arrive at a solution to a programming problem by
providing a guided path to the solution. We incorporated this idea of learning by example by providing two anno-
tated code example vulnerabilities, SQL Injections and Cross-Site Scripting (XSS), to show the student how such
vulnerability may occur. There are many ways in which these vulnerabilities may occur but we restricted our tool,
SIDE, to include only two simple ways since our target users were novice coders. ASIDE (Xie et al., 2014) used
two techniques: interactive code refactoring and interactive annotation Interactive code refactoring very similar to
that of a word processor’s spellchecker. In ASIDE when a security bug is detected in the source code they used in-
teractive code refactoring to insert necessary code with the assistance of the programmer. When a bug is detected
the user clicks on the recommended solutions and chooses one. After the code is inserted the bug notification disap-
pears. We take a different approach in that when a student submits buggy code we do not provide an automatic so-
lution instead we guide them through the steps to resolve the bugs found. We call this guided remediation. Gajraj et
al., (2011) used a similar method called guided instruction in their tool; this influenced our choice of the guided re-
mediation system.

Remarks
The study revealed need for focus on secure coding. In order to draw firm conclusions
on the usability and efficacy of SIDE, we need a conduct a longitudinal study and have
full participation from CSI faculty and students. We were able to determine the state of
affairs with respect to secure coding among CSI final year students. Given more time
we can explore more methods of implementing vulnerability detection and allow for Ob-
ject-Oriented support and larger code bases. All of our objectives can be fully achieved
once the limitation of user participation and time are addressed.
Figure 1: The conceptual model of Secure IDE

Das könnte Ihnen auch gefallen