Utilizing a vulnerable software package to teach software security design analysis

Abstract

© 42nd International Convention on Information and Communication Technology, Electronics and Microelectronics, MIPRO 2019 - Proceedings. All rights reserved. As the number of threats and attacks to software systems increases, more attention is given to secure software engineering practices, such as secure coding and security testing. More abstract activities, such as security design analysis, require extensive security expertise from software engineers. Unfortunately, such knowledge is scarcely available, as it is an area that is both difficult to teach and learn. We developed a framework for teaching security design analysis, which is built around the hybrid flipped classroom and case study analysis. This paper enhances our framework by utilizing freely available vulnerable software packages as case studies for security design analysis. We illustrate the enhancement by using a mature vulnerable software package to construct a laboratory exercise dedicated to the security design analysis of threats originating from injection-based attacks. We provide guidance for the usage of our enhanced framework and outline a lab that can be utilized for a university course or a corporate training program dedicated to secure software engineering.