Cybersecurity Awareness Platform with Virtual Coach and Automated Challenge Assessment
Tiago Espinha Gasiba, Ulrike Lechner, Maria Pinto-Albuquerque, Anmoal Porwal
CCybersecurity Awareness Platform with VirtualCoach and Automated Challenge Assessment
Tiago Gasiba , − − − , Ulrike Lechner − − − ,Maria Pinto-Albuquerque − − − , and AnmoalPorwal − − − Siemens AG, Munich, Germany { tiago.gasiba,anmoal.porwal } @siemens.com Universit¨at der Bundeswehr M¨unchen, Munich, Germany { ulrike.lechner,tiago.gasiba } @unibw.de Instituto Universit´ario de Lisboa (ISCTE-IUL), ISTAR-IUL, Lisboa, Portugal [email protected]
Abstract.
Over the last years, the number of cyber-attacks on indus-trial control systems has been steadily increasing. Among several factors,proper software development plays a vital role in keeping these systemssecure. To achieve secure software, developers need to be aware of securecoding guidelines and secure coding best practices. This work presents aplatform geared towards software developers in the industry that aimsto increase awareness of secure software development. The authors alsointroduce an interactive game component, a virtual coach, which im-plements a simple artificial intelligence engine based on the ladderingtechnique for interviews. Through a survey, a preliminary evaluation ofthe implemented artifact with real-world players (from academia andindustry) shows a positive acceptance of the developed platform. Fur-thermore, the players agree that the platform is adequate for trainingtheir secure coding skills. The impact of our work is to introduce a newautomatic challenge evaluation method together with a virtual coachto improve existing cybersecurity awareness training programs. Thesetraining workshops can be easily held remotely or off-line.
Keywords:
Cybersecurity · Awareness · Training · Artificial Intelligence · Serious Games · Secure Coding · Static Application Security Testing · Capture-the-Flag
Errors and vulnerabilities in software development, if not solved early, can endup in a final product. These problems can result in serious consequences forthe customer and the company that produced the software. This work aims toimprove the situation through a serious game to raise awareness on secure codingand software development best practices of software developer – thus addressingthe issues at early stages in software development, i.e., when it is being written. a r X i v : . [ c s . S E ] F e b T. Gasiba et al.
In the next sub-sections, we present the problem at hand in more detail. Wegive a brief overview of standardization bodies, industry-led efforts, and academicefforts that were started to address the current situation. Finally, we describeour proposed methodology and our contributions to scientific knowledge.
The number of security advisories issued per year by the Industrial ControlSystem - Computer Emergency Response Team (ICS-CERT) has been steadilyincreasing. While before 2014 the number of advisories per year was less than100, from 2017 to 2019 more than 200 advisories have been issued per year. Thesefacts correlate well with the observed increase in the number and sophisticationof cyber-attacks to industrial control systems (ICS).The ransomware WannyCry, released by the ”The Shadow Brocker” hackergroup in 2017, which exploits a vulnerability in the Server Message Block (SMB)protocol, dubbed EternalBlue, has affected numerous industrial control systems.It has caused a financial impact exceeding 4 billion USD in more than 140countries. The vulnerability exploited by EternalBlue is a buffer overflow causedby an integer overflow; exploitation of buffer overflows is not new - this is knownsince the late ’70s.While not everything (e.g., attacks and vulnerabilities) can be traced backdirectly to a specific software vulnerability, an increasing number of such vul-nerabilities (i.e., related with secure coding) have also been observed. Softwaresecurity and secure software development play a fundamental role in industrialcybersecurity, particularly in critical infrastructures. According to a recent sur-vey with more than 4000 software developers [14], ”less than half of developerscan spot security holes” [18]. This lack of awareness causes a severe issue interms of cybersecurity of industrial control systems and critical infrastructures.The present work focuses on C and C++ programming languages. This is mo-tivated by a recent study by Whitehat [23], which has shown that C and C++are among the most used programming languages for industrial environments,but they are also among the most vulnerable in terms of cybersecurity vulnera-bilities. This study also implies that the majority of vulnerabilities are createdin these programming languages.
In recognition of the importance of secure products and a consequence of the cur-rent move towards digitalization and higher connectivity, several large industrialplayers have joined together and committed to a document called the charter oftrust [19]. The charter of trust outlines ten fundamental principles that the part-ners vow to obey to address the issues inherent with cybersecurity. ICS relevantstandards such as IEC 62443-4-1 [12] or ISO 27001 [13] mandate the implementa-tion of secure software development life-cycle processes and awareness training.These standards address security from a high-level perspective and are not spe-cific enough about recommendations, policies, and best practices to be followed ybersecurity Awareness with Virtual Coach and Automated Assessment 3 in software development. Towards this goal, an industry-led effort was created,the Software Assurance Forum for Excellence in Code (SAFECode), with theaim of identifying and promoting best practices for developing and deliveringmore secure and reliable software, hardware and services .Serious Games designed to train developers and raise their awareness forcybersecurity and secure coding is our approach to ameliorate the situation, andother approaches are [5, 6, 15, 16]. We designed a game to raise awareness forcybersecurity among programmers and for secure coding guidelines and securecoding best practices. Our approach is an adoption of the popular format ofCapture-the-Flag. CTF is a serious game genre in the domain of cybersecuritypopular in the penetration-test community as a means to practice offensive skills.In this kind of game, the game participants aim to gather the highest amount ofawarded by solving cybersecurity challenges, e.g., breaking into systems. In [6],Gasiba et al. study the requirements that a game designer should follow totarget the game to software developers in the industry. In a further work [8],the authors provide six concrete and different challenge types to be used in thiskind of CTF event. One of these is the ”code entry” challenge type, where theproposed idea is that player interacts through a web interface with a backendby modifying vulnerable code until all the coding guidelines are fulfilled, thussolving the challenge.
This paper extends the previous work, particularly the ”code entry” challengetype, by describing the architecture of a platform, which the authors call Sifu,that was constructed to implement the game backend. The goal of this platformis to: 1) automatically analyze the solution submitted by the participant to thebackend, 2) determine if this solution contains vulnerabilities and fulfills therequired functionality, 3) generate hints to the player if the solution does notachieve a pre-determined goal and finally 4) provide a flag (i.e., a unique code)which the player can use to gather points in the game. The correctness of thesolution depends on it following established secure coding guidelines and secureprogramming best practices.The generated hints are provided by a virtual coach, which assists the playerin solving the challenge. These hints are created using a simple artificial intel-ligence (AI) engine that provides automatic pre-programmed interactions withthe player when the submitted solution fails to meet the secure coding criteria.These hints generated by the AI Engine (i.e., the virtual coach) assist the playerin solving the challenge in a playful way and help lower the frustration, increasethe fun, and improve the learning effect during gameplay.The core of the present work is to describe the virtual coach platform. Nev-ertheless, to validate its suitability as a means to raise secure coding awareness,a small survey was performed with real players. Our preliminary results showthat the participants have fun using the platform and also find it adequate forlearning secure coding guidelines and secure software development best practices.
T. Gasiba et al.
This work seeks to provide the following impact in the research community: – introduce a novel method to automatically analyze player code submission interms of secure coding guidelines and software development best practices, – introduce a virtual coach based on the laddering interview AI technique, and – provide a preliminary analysis of the suitability of the proposed architecturein terms of adequacy to raise secure coding awareness of software developers.Although we intend to use the Sifu platform in a CTF environment, it canalso be used stand-alone in remote and offline training scenarios. This can beespecially important if the players are spread over a large geographic area orhave inherent restrictions on a face-to-face workshop. This work is organized as follows. In section 2 we present previous related sci-entific work. Section 3 presents details on the architecture and implementationof the Sifu platform. This section also introduces the virtual coach and givesdetails on the implemented artificial intelligence algorithm. In section 4, pre-liminary results from a short survey to 15 participants in a pilot are presented.Finally, section 5 presents the conclusions and further work.
Playing cybersecurity games is gaining more and more attention in the researchcommunity. In [5], Frey et al. show both the potential impact that playing cy-bersecurity games can have on the participants and also show the importanceof playing games as means of cybersecurity awareness. They conclude that cy-bersecurity games can be useful to build a common understanding of securityissues .A serious game [4] is a game that is designed with a primary goal and purposeother than entertainment. Typically these games are developed to address aspecific need such as learning or improving a skill. A Capture-the-Flag (CTF)game is one possible instance of a serious game. Votipka et al. [22] argue intheir work that CTF events can be used as a means to improve security softwaredevelopment. In particular, their work shows that the participants of such eventsexperience positive effects on improving their security mindset. Davis et al., in [2],discuss the benefits of CTF for software developers. In their work, they arguethat CTFs can be used to teach computer security and conclude that playingCTFs is a fun and engaging activity.In their work, Graziotin et al. [9] argue that happy developers are bettercoders . They show that developers that are happy at work tend to be more fo-cused, adhering to software development processes, and following best practices.This improvement in software development leads to the conclusion that happy ybersecurity Awareness with Virtual Coach and Automated Assessment 5 developers can produce higher quality and more secure code than unhappy de-velopers. The authors believe that CTF events since they are experienced asfun events, can foster higher code quality and adherence to secure developmentprinciples.However, CTF events need to be properly designed to achieve this goal.Gasiba et al., in [6], perform requirements elicitation employing systematic lit-erature review, interview of security experts, and also CTF participants fromindustry. Their work details the requirements for CTF events to raise securecoding awareness of software developers in the industry. In particular, they con-clude that CTF challenges for software developers should focus on the defensiveperspective instead of offensive.In their work, Sim˜oes et. al [20] present several programming exercises forteaching software programming in academia. Their design includes nine exercisesthat can be presented to students to foster student motivation and engagementin academic classes and increase learning outcomes. Their approach uses gamifi-cation and automatic assessment tools. However, their work focus on the correctsolution (implementation) of the programming exercise and not on the secureprogramming and security best practices aspects.Gasiba et. al [8] propose, in a similar work, six different challenge types. Thesechallenges, which are also a form of programming exercises, are executed in thecontext of a serious game of the type CTF and target software developers in theindustry. One of the challenge types is a so-called code-entry challenge, wherethe CTF participant is given a project (e.g., in C or C++) that contains softwarevulnerabilities. The challenge aims to have the participants fix the security vul-nerabilities by applying secure coding guidelines and software development bestpractices. In this previous work, the challenge type was only derived conceptuallyand lacked implementation and practical evaluation aspects.Vasconcelos et. al [21] have recently shown a method to evaluate program-ming challenges automatically. In their work, the authors use Haskell and theQuickCheck library to perform automated functional unit tests of challengessubmitted by students. Their goal is to evaluate if the solutions presented bythe students comply with the programming challenge in terms of desired func-tionality. One of the main limitations of this work is that the code to be testedshould be free from side effects. The authors also focus on functional testing ofsingle functions and do not address the topic of cybersecurity.In [1, 3], Dobrovsky et al. describe an interactive reinforcement learningframework for serious games with complex environments where a non-playercharacter is modeled using human guidance. They argue that interactive rein-forcement learning can be used to improve learning and the quality of learning.However, their work aims to train an algorithm better to recreate human behav-ior by means of machine learning techniques. In our work, we aim at traininghumans to write better and more secure code. Due to this fact, machine learn-ing techniques are not applicable. Nonetheless, we draw inspiration from theconceptual framework, which we adapt to our scenario.
T. Gasiba et al.
Rietz et al. [17], show how to apply the principles of the laddering interviewtechnique for requirements elicitation. The laddering technique consists of issu-ing a series of questions that are based on previous system states (i.e., previousanswers and previous questions). The questions generated are refined versionsof previously issued questions as if the participant is climbing up a ladder con-taining more specific questions. Although this previous work applies in the fieldof requirements elicitation and does not focus on cybersecurity, the ladderingtechnique principle can be adapted to a step-wise hint system.In the present work, we also make use of the concept of awareness or IT-security awareness as defined by Haensch et al. in [11], in order to evaluate ourartifact. In their work, they define awareness as having the following three dimen-sions: perception, protection, and behavior. The perception dimension is relatedto the knowledge of existing software vulnerabilities. The protection dimensionis related to knowing the existing mechanisms (best practices) that avoid soft-ware vulnerabilities. Finally, the behavior dimension relates to the knowledgeand intention to write secure code. We collect data from participants based onthe three dimensions of awareness through a small survey. We use best practicesin the design, collection, and processing of survey information given by Grooveset al. [10].
In following sub-sections we present the research problem in terms of researchquestions and present a possible solution. Additionally, we describe the setup ofa small survey that was performed to evaluate our result.
In [8], the authors present a type of challenge for CTFs in the industry, which iscalled code-entry challenge (CEC). The main idea of this type of challenge is forthe Player to be given a software development project that contains code thatdoes not follow secure coding guidelines (SCG) and secure software developmentbest practices (BP) and contains security vulnerabilities. In this work, we targetspecifically ICS by using SCG and BP, which are specific for this field. The taskof the Player is to fix the vulnerabilities and to follow SCG and BP. The Playershould do this so that the original intended functionality is still fulfilled in thenew version of the code. The present work aims to solve these requirements bymeans of a platform that performs an automatic evaluation of the code sub-mitted by the participant and guides the participant towards the final solution.Considering these requirements, the following research questions are then raised:
RQ1: how to automatically assess the challenges in terms of SCG and BP?
RQ2: how to aid the software developer when solving the challenges?This work proposes to address RQ1 through a specialized architecture to au-tomatically assess the level of compliance to SCG and BP by combining several ybersecurity Awareness with Virtual Coach and Automated Assessment 7 state-of-the-art security testing frameworks, namely Static Application SecurityTesting (SAST), Dynamic Application Security Testing (DAST), and RuntimeApplication Security Protection (RASP). The functional correctness of the pro-vided solution by the Player is evaluated using state-of-the-art Unit Testing(UT). To address RQ2, the authors propose to combine the output of the secu-rity testing tools with an AI algorithm to generate hints based on the ladderingtechnique, thus implementing a virtual coach. The task of the virtual coach isto lower the frustration of the participant during gameplay and to aid in theparticipant to improve the code.The proposed solution herein described makes a contribution towards an-swering these research questions. To validate the assumption of the suitabilityof our proposal as a means to address the research questions, a small survey wasconducted.
Figure 1 shows the top-level view of the Sifu architecture. In this figure, the”Player” represents the game participant (a human) and the ”Project” repre-sents a software project that contains vulnerabilities to be fixed by the Player.The ”Analysis & Hints” (AH) component performs the core functionality: 1)evaluates the submitted code (Project) in terms SCG and BP, 2) indicates if thechallenge is solved or not and, if not solved, 3) generates hints to send back to theparticipant. The ”State” component stores previous interactions and generatedhints. During gameplay, the Player reads the Project and modifies the code byinteracting with a web editor interface. When the changes in the code are done,the Player submits the code to the AH component for analysis. (cid:51)(cid:85)(cid:82)(cid:77)(cid:72)(cid:70)(cid:87)(cid:36)(cid:81)(cid:68)(cid:79)(cid:92)(cid:86)(cid:76)(cid:86)(cid:3)(cid:9)(cid:3)(cid:43)(cid:76)(cid:81)(cid:87)(cid:86)(cid:51)(cid:79)(cid:68)(cid:92)(cid:72)(cid:85) (cid:54)(cid:87)(cid:68)(cid:87)(cid:72) (cid:51)(cid:79)(cid:68)(cid:92)(cid:72)(cid:85)(cid:3)(cid:76)(cid:81)(cid:87)(cid:72)(cid:85)(cid:68)(cid:70)(cid:87)(cid:86) (cid:54)(cid:81)(cid:54)(cid:81)(cid:14)(cid:20) (cid:51)(cid:81)(cid:43)(cid:81)(cid:14)(cid:20)
Fig. 1.
Conceptual game overview: interaction and components
A possible realization of the conceptual architecture is shown in figure 2.Interaction takes place between the Player and a web interface, which connectsto a web backend. The web backend is responsible for triggering the automatedsecurity assessment, collecting the answer from the AI engine, and sending theanswer back to the participant. To realize this, the Project submitted by the
T. Gasiba et al. participant is first saved into a temporary folder after a pre-processing step (e.g.to inject code necessary for unit tests). After the addition of auxiliary files (e.g.C/C++ include files) to the temporary project directory, the Project is compiled,and a functional test and security assessment is performed. All these results arethen made available to an AI engine, which determines if the challenge is solvedand generates hints. This feedback is collected by the web backend and storedin an internal database and forwarded as the answer back to the participant’sweb browser.
WebBackendWebFrontend
SandboxTools
SAST UnitTests
A.I.
CollectorFeedback
Backend Project
Pre-Processing AI Engine DASTCompiler ! "
Fig. 2.
Detailed architecture: the Sifu Platform
Automatic Security Assessment
The security assessment which is per-formed to the Project is composed of the following steps: 1) Compilation, 2)Static Application Security Testing, 3) Unit Testing, 4) Dynamic ApplicationSecurity Testing, and 5) Runtime Application Security Testing. In step 1, theProject is compiled; if there are compilation errors, these are reported to theAI component, and no further analysis takes place. Step 2 performs static codeanalysis. Note that in this step, the code does not need to be executed. Since thesteps 3, 4 and 5 involve executing untrusted (and potentially dangerous) code,these are performed in a time-limited sandbox. The sandbox is very restrictive,e.g., it only contains the project executable and drops security-relevant capa-bilities (e.g., debugging and network connections are not allowed). Additionally,the executable is only allowed to run for a certain amount of time inside thesandbox. If this time is exceeded, the process will be automatically terminated.This avoids denial-of-service attacks by means of high CPU usage. Two typesof Unit tests are executed: 1) functional testing - in order to guarantee that theprovided code is working as intended (e.g., in the challenge description), and 2)security testing - in order to guarantee that typical vulnerabilities are not presentin the code (e.g., buffer overflow). Security testing is done using self-developed ybersecurity Awareness with Virtual Coach and Automated Assessment 9 tests and also using state-of-the-art fuzzing tools. Steps 4 and 5 perform severaldynamic security tests. Table 1 lists the tools that the authors have used in eachof these components. In this table, the open-source components used in the Sifuplatform are marked with ”OS”.
Table 1.
Security Assessment Tools
Component Tools
Compiler GCC v10.1 (OS), Clang 9.0.0 (OS)SAST SonarQube, Pc Lint, cppchecker (OS), fbinfer (OS), semgrep (OS)DAST Valgrind (OS), Helgrind (OS)RASP Address Sanitizer (OS), Leak Sanitizer (OS), Thread Sanitizer (OS)Unit Test ATF (OS), Kyua (OS), AFL (OS)
Virtual Coach with AI Technique
The AI component shown in figure 2collects the results of the previous analysis steps, runs an AI engine based onthe laddering technique, and generates the feedback to be sent back to the par-ticipant. Figure 3 shows the implementation of the AI engine using the ladderingtechnique.As previously detailed, the automated assessment tools perform several teststhat are used to determine the existing software vulnerabilities present in theProject. These are collected in textual form (e.g., JSON and XML) and nor-malized to be processed by the AI engine. The two most essential test resultsfrom the security assessment components are related to compilation errors (e.g.,syntax errors) and functional unit testing. The participant’s solution will be re-jected if the code does not compile or is not working (functioning) as intended.When both these tests pass, the artificial engine uses the security tests, SAST,DAST, and RASP tools to generate hints to send to the participant.A combination of findings from these tools forms a vulnerability. These find-ings and vulnerabilities are then mapped to SCG and BP. In figure 3, eachhorizontal path (ith row) corresponds to a ladder and also to a specific combina-tion of vulnerabilities or static events found in the source code. Each path is alsoassigned a priority p ( i ) based on the criticality of the SCG and vulnerabilities.These priorities are assigned according to the ranking of secure coding guidelines,as presented in Gasiba et al. (see [7]). Higher-ranked secure coding guidelinesare given higher priorities, and lower-ranked secure coding guidelines are givenlower priorities. The AI engine to selects the corresponding path (correspondingto one ladder) which based on the finding with the highest rank.The chosen hint H n +1 depends on the ladder and on the previous hint levelsent to the participant on the ladder, as given by the system state. If there areno more hints in the ladder, no additional hint is sent to the Player.Table 2 shows an example of hints provided by the virtual coach’s AI en-gine corresponding to an ”undefined behavior” path. The lower level hints aregeneric and give background information for the participant. The highest level H H H H H H H k,1 H k,2 H k,N(k) P a t h s e l e c t o r H i n t adap t a t i on Fig. 3.
Laddering technique to generate hints hint contains exact information on how to solve the problem, thus revealing thesolution.
Table 2.
Example of hint ladder with six levels
Level Hint Text < link > , < link > < link > < Finally, the Feedback component formats and enriches the selected hint bythe AI Engine with project-specific information and sends it to the Web Back-End component to present to the Player. To foster critical thinking, the authorshave also implemented a hint back-off (i.e., no hint will be given to the Player whois brute-forcing the hint system). This back-off system implements the followingrule: 1) no hint is provided to the Player during 4 minutes after the backendhas sent a hint to the Player, and 2) no hint is given until the number of codesubmissions since the previous hint sent to the Player by the backend is equalto 3 submissions.Note that the feedback component not only fosters critical thinking by thePlayer, but can also be used to train the Player with the usage of static codeanalysis tools. However, further investigation of this aspect is needed in thefuture.
Real-World Artifact
Figure 4 shows the web interface of a real-world im-plementation of the Sifu platform. The machine where the Sifu platform wasdeployed was an AWS instance of type T3.Medium (2 CPUs with 4Gb RAMand network connection up to 5Gb/s). In order to install the required tools, a ybersecurity Awareness with Virtual Coach and Automated Assessment 11 hard-disk of 40Gb was selected. The Sifu platform itself is developed in Python3.8 using Flask.
Fig. 4.
Sifu Web Interface
On the left, the Player can browse the Project and select a file to edit; thefile editor is in the center, and on the right are the hints that the Player receivesfrom the backend. The upper part contains buttons which include the followingfunctionality:
Submit - to submit the Project for analysis,
Reload - to reload theProject from scratch,
Report Challenge - to report problems with the challengeto the developers. Note that, when a player finishes a challenge successfully, it istaken to an additional page with discussions on the impact of the vulnerabilityand additional closing questions (e.g., on which secure coding guidelines havenot been taken into consideration).
Evaluation of real-world artifact
The platform containing five different chal-lenges was made available for experimentation to 15 participants in Germany inJune 2020. Participants’ ages ranged between 20 and 50 years old, with an av-erage of 28 .
3. The participants’ background was: 7 computer science students, 7professional software developers, and 1 assistant professor. Participants were al-lowed to try the platform for as long as they liked; this resulted in a range from15 minutes to 45 minutes. When successfully solving a challenge, the partici-pants were asked (through the web interface) to rate the challenge based on thequestions presented in table 3. Additionally, upon completing the experiment,when the participants were asked to fill out a small online survey. The questionsasked in this survey are presented in table 4. Both the challenge rating and theplatform survey questions were based on a 5-point Likert scale.
Table 3.
Challenge rating questions
Number Question
Q1 Please give an overall rating to the challengeQ2 How well could you recognize the vulnerability in the code?Q3 How well can you fix this problem in production code?
Table 4.
Platform survey questions
Number Feedback Question
F1 My overall experience with the platform was positiveF2 The Sifu platform helps me to improve my secure coding skillsF3 Solving challenges in the Sifu platform helps me in recognizingvulnerable codeF4 Solving challenges in the Sifu platform helps me in under-standing consequences of exploiting vulnerable codeF5 Solving challenges in the Sifu platform makes me overallhappyF6 Challenges in the Sifu platform help me to practice securecoding guidelinesF7 I find the Sifu platform adequate as a means to raise awarenesson secure codingF8 The examples in the Sifu platform are clearly presentedF9 It is fun to solve challenges in the Sifu platform
In this section, we present the results of the challenge feedback questions and theparticipants’ survey. The results were processed using RStudio version 1.2.5019.Additionally, we briefly discuss the threats to validity.
Figure 5 shows the results of the challenge rating questions. The average valuesand standard deviation are the following: Q3 3 .
92 ( σ = 1 . σ = 1 . σ = 1 .
21 3 0 3 1 6 73 7 510 109 80% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Q1Q2Q3
Strongly Disagree Strongly Agree
Fig. 5.
Evaluation of Challenges in Sifu Platformybersecurity Awareness with Virtual Coach and Automated Assessment 13
Figure 4 shows the survey results. The average values and standard deviationare the following: F6 4 .
33 ( σ = 0 . σ = 0 . σ = 1 . σ = 0 . σ = 0 . σ = 0 . σ = 0 . σ = 1 . σ = 0 . medium agreement (3 . . higher agreement (3 . .
8) and highest agreement (3 . . – highest agreement : helps to practice and improve secure coding, is fun andadequate to raise secure coding awareness – higher agreement : challenges are clearly presented and the experience is pos-itive – medium agreement : helps to recognize vulnerable code and understand con-sequences and makes happy
20 1 3 00 222 01 3 440 1 22 1313 11 8410 1086 01 0055 235
0% 20% 40% 60% 80% 100%
F1F2F3F4F5F6F7F8F9
Strongly Disagree Strongly Agree
Fig. 6.
Survey Results
The results hereby presented give an indication towards the suitability of theherein proposed solution to address RQ1 and RQ2, as stated in the problemstatement of section 3.
The main aim of this work is to present an architecture of a serious game gearedtowards improving the secure coding skills of software developers. To validate theplatform’s usefulness, the authors have gathered feedback from 15 participantsin a trial experiment. Possible sources of threat to the validity of the results andconclusions presented in the previous section include: – low number of participants : although the gathered feedback shows a cleartendency towards positive feedback, the number of participants was low,making the standard deviations relatively high, – participants’ background : while the serious game is designed for industrialenvironments, a large portion of the participants were computer science stu-dents. Although the authors do not believe that this causes a significantchange in the results, further studies with industry players is required, – survey design : the survey administered at the end of the experiment wasguided by survey best practices; however, it lacks a formal and thoroughdesign, e.g., based on existing theories and existing questions database, – external validity : although the goal of the present work is to propose a newmethod to raise secure coding awareness of software developers, our study didnot contain a comparison of the methodology against existing and establishedmethods. Secure coding guidelines, secure software development best practices, and se-cure coding policies form an essential aspect of secure software developmentfor industrial control and cybersystems. Motivated by cybersecurity standardsand industry needs on raising awareness about secure coding guidelines, thiswork presents a novel method where software developers learn these secure cod-ing best practices in an online environment in the context of a serious game -Capture-the-Flag, while being assisted through a virtual coach. In particular,this work addresses and details an architecture that can scale (e.g., throughonline training) and is based on an interview laddering technique to generatehelpful hints. Another source of inspiration for the current work is reinforcementlearning techniques; however, the trainee is a human being, not a machine.Our proposed solution uses existing open source components to perform unit-testing, static, dynamic, and run-time security analyses of the project code,which the participants need to change to eliminate software vulnerabilities. Wealso briefly discuss implemented mechanisms that prevent cheating by the playersand mechanisms that do not allow them to attack the system back-end.Finally, we obtain feedback on the produced artifact through evaluation ques-tions upon completing different challenges and a small survey at the end of theexperiment. Preliminary results show that the participants have fun using theplatform and find it an adequate means to raise awareness on secure coding best ybersecurity Awareness with Virtual Coach and Automated Assessment 15 practices. The developed platform will be made available in the future, after theinternal software clearing process.In future work, the authors would like to investigate additional factors thatlead software developers to understand better the consequences of exploitingvulnerable code. Furthermore, the authors would like to investigate additionalmeans to implement a more robust artificial engine for the virtual coach throughsystematic literature research. Furthermore, in a future publication, the authorswill perform a large-scale comparative study with existing and established cy-bersecurity teaching methods. Finally, the quality of the virtual coach enginedepends heavily on the quality and number of input sources. In this aspect, theauthors intend to investigate further possible sources and the quality (e.g., falsepositive, false negative) of the existing and future input sources.
Acknowledgements
The authors would like to thank the participants of the survey for their timeand their valuable answers. This work is financed by portuguese national fundsthrough FCT - Funda¸c˜ao para a Ciˆencia e Tecnologia, I.P., under the projectFCT UIDB/04466/2020. Furthermore, the third author thanks the InstitutoUniversit´ario de Lisboa and ISTAR-IUL, for their support.
References
1. Brisson, A., Pereira, G., Prada, R., Paiva, A., Louchart, S., Suttie, N., Lim, T.,Lopes, R.A., Bidarra, R., Bellotti, F., et al.: Artificial intelligence and personaliza-tion opportunities for serious games. In: Eighth Artificial Intelligence and Interac-tive Digital Entertainment Conference. pp. 51–57 (Oct 2012)2. Davis, A., Leek, T., Zhivich, M., Gwinnup, K., Leonard, W.: The Fun and Futureof CTF. 2014 USENIX Summit on Gaming, Games, and Gamification in Secu-rity Education (3GSE 14) pp. 1–9 (2014),
3. Dobrovsky, A., Borghoff, U.M., Hofmann, M.: An approach to interactive deep re-inforcement learning for serious games. In: 2016 7th IEEE International Conferenceon Cognitive Infocommunications (CogInfoCom). pp. 85–90. IEEE (2016)4. D¨orner, R., G¨obel, S., Effelsberg, W., Wiemeyer, J.: Serious Games: Founda-tions, Concepts and Practice. Springer International Publishing, 1 edn. (2016).https://doi.org/10.1007/978-3-319-40612-15. Frey, S., Rashid, A., Anthonysamy, P., Pinto-Albuquerque, M., Naqvi, S.A.: TheGood, the Bad and the Ugly: A Study of Security Decisions in a Cyber-PhysicalSystems Game. IEEE Transactions on Software Engineering (5), 521–536 (2019)6. Gasiba, T., Beckers, K., Suppan, S., Rezabek, F.: On the Requirements for Seri-ous Games geared towards Software Developers in the Industry. In: Damian, D.E.,Perini, A., Lee, S. (eds.) 27th IEEE International Requirements Engineering Con-ference, RE 2019, Jeju Island, Korea (South), September 23-27, 2019. IEEE (2019), https://ieeexplore.ieee.org/xpl/conhome/8910334/proceeding , 32–47(Jun 2018)10. Groves, R.M., Fowler, F., Couper, M., Lepkowski, J., Singer, E.: Survey Method-ology. John Wiley & Sons, 2 edn. (2009)11. H¨ansch, N., Benenson, Z.: Specifying IT security awareness. In: 25th InternationalWorkshop on Database and Expert Systems Applications, Munich, Germany. pp.326–330 (Sep 2014). https://doi.org/10.1109/DEXA.2014.7112. IEC 62443-4-1: Security for industrial automation and control systems - part 4-1:Secure product development lifecycle requirements. Standard, International Elec-trotechnical Commission (Jan 2018)13. ISO 27001: Information technology – Security techniques – Information securitymanagement systems – Requirements. Standard, International Standard Organi-zation, Geneva, CH (Oct 2013)14. Patel, S.: 2019 Global Developer Report: DevSecOps finds security road-blocks divide teams (July 2020), https://about.gitlab.com/blog/2019/07/15/global-developer-report/ , [Online; posted on July 15, 2019]15. Rieb, A.: IT-Sicherheit: Cyberabwehr mit hohem Spaßfaktor. In: kma - DasGesundheitswirtschaftsmagazin. vol. 23, pp. 66–69 (Jul 2018)16. Rieb, A., Gurschler, T., Lechner, U.: A gamified approach to explore techniques ofneutralization of threat actors in cybercrime. In: GDPR & ePrivacy: APF 2017 -Proceedings of the 5th ENISA Annual Privacy Forum. pp. 87–103. Lecture Notesin Computer Science, Springer Verlag (Jun 2017)17. Rietz, T., Maedche, A.: LadderBot: A Requirements Self-Elicitation System. In:2019 IEEE 27th International Requirements Engineering Conference (RE). pp.357–362. IEEE (2019)18. Schneier, B.: Software Developers and Security (July 2020), , Online19. Siemens AG: Charter of Trust (July 2020), ,Online20. Sim˜oes, A., Queir´os, R.: On the Nature of Programming Exercises. In: ICPEC- First International Computer Programming Education Conference. vol. 81, pp.251–259. Virtual Conference (Jun 2020)21. Vasconcelos, P., Ribeiro, R.P.: Using Property-Based Testing to Generate Feedbackfor C Programming Exercises. In: ICPEC - First International Computer Program-ming Education Conference. vol. 81, pp. 285–294. Virtual Conference (Jun 2020)22. Votipka, D., Mazurek, M.L., Hu, H., Eastes, B.: Toward a Field Study on theImpact of Hacking Competitions on Secure Development. In: Workshop on SecurityInformation Workers (WSIW). Marriott Waterfront - Baltimore, MD, USA (Aug2018)23. WhiteSource: What are the Most Secure Programming Lan-guages? (Mar 2019),,Online20. Sim˜oes, A., Queir´os, R.: On the Nature of Programming Exercises. In: ICPEC- First International Computer Programming Education Conference. vol. 81, pp.251–259. Virtual Conference (Jun 2020)21. Vasconcelos, P., Ribeiro, R.P.: Using Property-Based Testing to Generate Feedbackfor C Programming Exercises. In: ICPEC - First International Computer Program-ming Education Conference. vol. 81, pp. 285–294. Virtual Conference (Jun 2020)22. Votipka, D., Mazurek, M.L., Hu, H., Eastes, B.: Toward a Field Study on theImpact of Hacking Competitions on Secure Development. In: Workshop on SecurityInformation Workers (WSIW). Marriott Waterfront - Baltimore, MD, USA (Aug2018)23. WhiteSource: What are the Most Secure Programming Lan-guages? (Mar 2019),