Raising Secure Coding Awareness for Software Developers in the Industry
aa r X i v : . [ c s . S E ] F e b Raising Secure Coding Awareness for SoftwareDevelopers in the Industry
Tiago Gasiba
Siemens AG, Mü[email protected]
Ulrike Lechner
Universität der Bundeswehr Mü[email protected]
Abstract —Many industrial IT security standards and policiesmandate the usage of a secure coding methodology in the softwaredevelopment process. This implies two different aspects: first,secure coding must be based on a set of secure coding guidelines,and second software developers must be aware of these securecoding practices. On the one side, secure coding guidelines seemsa bit like a black-art: while there exist abstract guidelines that arewidely accepted, low-level secure coding guidelines for differentprogramming languages are scarce.On the other side, once a set of secure coding guidelines ischosen, a good methodology is needed to make them known bythe people which should be using them, i.e. software developers.Motivated both by the secure coding requirements fromindustry standards and also by the mandate to train staff onIT security by the global industry initiative "Charter of Trust",this paper presents an overview of important research questionson how to choose secure coding guidelines and on how to raisesoftware developer awareness for secure coding using seriousgames.
Index Terms —security policy, secure coding, guidelines, IT se-curity, industry standard, information systems, industry, seriousgames, capture-the-flag
I. I
NTRODUCTION
The Charter of Trust [1] is a global initiative which isbeing undertaken by several leading companies to address thegrowing concerns related to IT Security of its products andservices. In order to tackle IT Security issues at its root andearly stages in product development, one of the points of thisinitiative addresses the topic of cybersecurity education andawareness [2].This aspect is also mandated by several industry stan-dards, to which companies are subject to compliance, suchas 62.443 [3], 27k [4], NIST SP 800-39 [5], etc. As such,software developers need to be trained and familiar with howto develop, avoid security pit-falls and write secure code in theprogramming language being used for product development.The basis for this is a well defined and clear set of securecoding guidelines. These come in two flavors: abstract guide-lines, such as OWASP [6], or programming language-specificsuch as MISRA-C [7], CERT SEI-C [8], CERT SEI-Java [9].In order to tackle the issue of raising IT Security awarenessof software developers in the industry, our vision is to usea serious game approach where the individual challenges arebased on secure coding guidelines (SCG).This work, based on our industry experience and observa-tions, lays out some research questions that address both the topic of selecting secure coding guidelines but also the topicon how to raise awareness about secure coding based on theseguidelines.Section II outlines the current state of the art. In Section IIIwe propose a method to derive secure coding guidelines andalso present our research questions. Finally Section IV presentspreliminary results and future work.II. S
TATE OF THE A RT A. Secure Coding Guidelines
Table I shows excerpts from three prominent industry stan-dards, which mandate secure coding practices or even explic-itly the usage of secure coding guidelines. The requirementgives no clear indication about which secure coding guidelinesshould be adopted - this can be understood in light of the factthat there is a lacking a general consensus and standardizationof SCG.TABLE I: Secure Coding Requirements from Standards
Standard Requirement text [...] incorporate security coding [...] [...] secure coding guidelines for each programminglanguage used [...]
NIST SP800-39 [...] Information system security engineers employ ...secure coding techniques [...]
Our experience has shown that the quest for secure codingguidelines can result in (1) lack of SCG, (2) too many SCGor (3) conflicting SCG/recommendations. This diversity andlack of standardization leads to companies needing to definetheir own set of internal accepted secure coding guidelines.This results is a non-uniform and incoherent selection of SCGacross the industry.To the best of our knowledge, there is no previous work onhow to systematically derive and define SCG (e.g. for a givenprogramming language) and on raising awareness about SCGusing serious games. In Section III we present a proposal fora possible methodology to derive SCG.
B. IT Security Awareness Training
Software development in the industry is normally boundto a set of well established and existing programming lan-guages [10]. It has been shown that there isn’t really one pro-gramming language that is significantly more secure than anynother [11] - vulnerabilities appear across all programminglanguages.Therefore, it makes sense to focus efforts on raising aware-ness of software developers on how to write secure code.According to Benenson [2], awareness can help to improve theunderstanding of the issues, to better identify the issues and toact accordingly to the issues. Furthermore Graziotin [12] hasshown a correlation between developer happiness and sourcecode quality.One training methodology therefore that seems to be wellsuited is by using serious games [13], in particular if basedon Capture-the-Flag (CTF).III. R
ESEARCH T OPICS
In the previous sections, we have briefly presented theimportance of secure coding guidelines both to fulfill in-dustry standards and policies and also as a basis for ITsecurity awareness for software developers. Unfortunately notall programming languages have widely agreed secure codingguidelines, which leads to companies having to define theirown. In the following, we propose a method to systematicallyderive secure coding guidelines. Furthermore, with the goal ofraising secure coding awareness we present possible researchquestions to achieve this goal.
A. Systematic Derivation of Secure Coding Guidelines
Given a vulnerability database, such as [14], we proposea systematic method to derive secure coding guidelines com-prising the following steps:1) define a business impact metric (BIM) for vulnerabilities2) compute the BIM for all vulnerabilities in the database3) map vulnerabilities and BIM to language-specific rules4) compile the set of rules into secure coding guidelinesThe BIM is a company-specific metric which shall repre-sent the perceived negative impact of the exploitation of thegiven vulnerability. This metric shall be aligned with businessobjectives and risk appetite [15] and can include parameterssuch as: impact score (e.g. based on estimated money loss),probability of occurrence, perceived ease of exploitation, etc.The mapping of vulnerabilities to language-specific rulesand constructs shall be done between IT security experts andsoftware developers. At this stage, several language-specificrecommendations could result from a single vulnerability. Thelast step is a codification step, which consolidates and abstractsall the derived recommendations into a catalog of securecoding guidelines.The main advantage of this method is that, due to theusage of a metric, the resulting secure coding guidelines canbe prioritized in terms of business importance. This leads toa natural categorization of the most important guidelines tofocus on awareness training programs.
B. Secure Coding Awareness for Software Developers
Recently, there has been an increased interest on using seri-ous games [13] to raise IT security awareness e.g. [16, 17, 18]. While the published work until now shows good indicatorsof the suitability of this approach, it has been (1) focused ona different target group than the one we wish to address, e.g.pentesters or security experts and (2) focused on general ITsecurity awareness, e.g. email and password handling.However, our target group are software developers for theindustry and the content of the training is specific to securecoding. Nevertheless, we also hypothesize that an adaptedserious games of the type CTF can also be effectively usedto raise secure coding awareness of software developers. Ourassumption is based on the positive indicators from similarwork, but also on the following facts: (1) participants typicallyenjoy playing CTF games (Kees et al. [19]) and (2) happydevelopers write better code (Graziotin et al. [12]).
C. Research Questions
This short paper has briefly shown how important securecoding guidelines are for the industry and also for raisingsoftware developer awareness on the topic of secure coding.However, it does also raise some further important questionsthat need additional research. These questions include:Q1 What is the current state of usage of SCG across theindustry?Q2 How to can SCG be systematically derived?Q3 How to raise awareness about SCG for software devel-opers in the industry by means of CTF serious games?The first research question Q1 , should allow us to validatethe assumption that our reported experience is also sharedamong the industry. Question Q2 would help in Q3 whensecure coding guidelines are missing as input to create aserious game. Due to the derivation of a business metric, it alsoallows to rank guidelines by importance to business. Motivatedby the industry problem exemplified in this work, Q3 tries toaddress it by means of designing a serious game.IV. P RELIMINARY R ESULTS AND F UTURE R ESEARCH
Currently ongoing investigations, based on a requirementsengineering approach, intend to address the questions pre-sented in Section III-C. The result aims at contributing onhow to improve IT security awareness, in particular on securecoding topics, of software developers in the industry and,as a consequence, lead to improved quality of products andservices.Preliminary results [20] on the requirements for Capture-the-Flag challenge design give a positive indication thatdefensive-style game are appropriate for raising awarenessabout secure coding. Furthermore it confirms the happinessand satisfaction of the participants playing the game. Furtherpreliminary research suggests that the presented methodologyto derive secure coding guidelines can indeed be used as inputto design defensive challenges and also to plan and prioritizea teaching curriculum.Investigations which shall address the research questionsabove and also the architecture of the Capture-the-Flag seriousgame and player engagement are currently underway.
Journal of Systemsand Software , 2017.[13] R. Dörner, S. Göbel, W. Effelsberg, and J. Wiemeyer,
Serious Games:Foundations, Concepts and Practice
CISM Review Manual, 15th Edition . Information SystemsAudit and Control Association, 2016.[16] T. Awojana and T.-S. Chou, “Overview of Learning CybersecurityThrough Game Based Systems,” in . New Orleans, LA:Advances in Engineering Education, 2 2019, https://peer.asee.org/31521.[17] A. Rieb, T. Gurschler, and U. Lechner, “A Gamified Approach to ExploreTechniques of Neutralization of Threat Actors in Cybercrime,” 06 2017,pp. 87–103.[18] A. Rieb, “It-sicherheit: Cyberabwehr mit Hohem Spaßfaktor,” kma - DasGesundheitswirtschaftsmagazin , vol. 23, pp. 66–69, 07 2018.[19] K. Leune and S. J. P. Jr., “Using Capture-the-flag to Enhance theEffectiveness of Cybersecurity Education,”
SIGITE’17 , pp. 47–52, 102017.[20] T. Gasiba, K. Beckers, S. Suppan, and F. Rezabek, “On the Require-ments for Serious Games Geared Towards Software Developers in theIndustry,” in submitted for publication: Conference on RequirementsEngineering Conferencesubmitted for publication: Conference on RequirementsEngineering Conference