Building Security In: Injecting Security throughout the Undergraduate Curriculum Towson University and Bowie State University Partnered with Anne Arundel.

Slides:

Advertisements

Similar presentations

Advancing Communication Competencies: Using Technology for Core Instruction and Resources Trudy Bayer Slippery Rock University of Pennsylvania Karen Curto.

Advertisements

Ken Burhanna Mary Lee Jensen Barbara Schloman Mixing It Up: Using a Blend of Projects to Create a College Transition Program Ken Burhanna Mary Lee Jensen.

Building Security In: Injecting Security throughout the Undergraduate Computing Security.

Hong Lin Computer and Mathematical Sciences University of Houston – Downtown Teaching Parallel and Distributed Computing Using a Cluster Computing Portal.

© Copyright CSAB 2013 Future Directions for the Computing Accreditation Criteria Report from CAC and CSAB Joint Criteria Committee Gayle Yaverbaum Barbara.

Educational Outcomes: The Role of Competencies and The Importance of Assessment.

Using Pedagogy Workshops as a Catalyst for Curricular Change at 2-Year Colleges Karen Singer-Freeman, Joseph A. Skrivanek, & Ronnie Halperin, Purchase.

Computer Science Department Middle States Assessment Computer Science has 4 programs (minor, bachelor’s, master’s and doctorate) and therefore 4 different.

Advanced Security Center Overview Northern Illinois University.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

Meaningful Assessment and the Impact of Technology Catherine Kelley, Ph.D. Senior Faculty Consultant Assistant Professor.

Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Want to be first in your CLASSE? Investigating Student Engagement in Your Courses Want to be first in your CLASSE? Investigating Student Engagement in.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

A New Web-Based Tool for Assessing the Student Experience in Learning Communities PNAIRP 2009 Portland, OR.

ME Assessment Process Presented to the College Advisory Council, Sept. 18, 2003 Overview Overview ME Program Educational Objectives (PEOs) Revision Process.

Al-Quds University Do You Moodle? Rashid Jayousi, PhD Computer Science Dept. Al-Quds University’s experience in E-learning.

Lixin Tao, Li-Chiou Chen & Chienting Lin Pace University

Security 1  26 Modules  CS0, CS1, CS2 o Buffer Overflow o Integer Error o Input Validation  Computer Literacy o Phishing o Cryptography.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

 Prototype for Course on Web Security ETEC 550.  Huge topic covering both system/network architecture and programming techniques.  Identified lack.

 address the challenges of  increasing interest and participation  improving the preparation of girls in computing and cyber.

Assessment 101: Unpacking the Complexities Dr. Linda J.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.

Updated Today's talk should help you to understand better  what your responsibilities for this module  how you will be taught  how you.

Security Injections Workshop – January 2010 Anne Arundel Community College Bowie State University Community College of Baltimore County Harford Community.

ESU’s NSSE 2013 Overview Joann Stryker Office of Institutional Research and Assessment University Senate, March 2014.

The Presentation Team Camille Catlett FPG Child Development Institute (NC) Susan P. MaudeIowa State University (IA) Melanie NollschKirkwood Community College.

MDC Quality Enhancement Plan Mathematics Discipline Meeting Update March 5, 2009.

Playing Safely in the Cloud Marie Greenberg, CISSP, IAM, IEM Information Security Manager Virginia State Corporation Commission.

Higher E ducation C omputing K nowledge Joel Geske Carolyn Hardy Dan Henroid Margaret Morris CI October 30, 2000.

Significant Discussions Aligning 9-14 Math Curriculum for Student Success Valerie Cope, Sinclair Community College Alicia Morse, Anne Arundel Community.

Copyright © 2009 Intel Corporation. All rights reserved. Intel, the Intel logo, Intel Education Initiative, and the Intel Teach Program are trademarks.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.

Security (Keep your site secure at extension level) Sergey Gorstka Fastw3b.

“ I'm still loving the fact that I share a virtual classroom with such a mix of students from all over the world. Other strengths include: engaging, up-

Infusing Emerging Technology into the Curriculum: Faculty Peer-to-Peer Mentoring PROJECT TEAM: Rachna Kumar, MGSM (Marshall Goldsmith School of Management)

Intel ® Teach Program International Curriculum Roundtable Programs of the Intel ® Education Initiative are funded by the Intel Foundation and Intel Corporation.

One Shot? Make it Four!: Planning and Assessing a Multi-Session Information Literacy Experiment Maureen Williams Neumann University Aston, Pennsylvania.

Information Assurance – A Technology Transfer Success Story Deidre W. Evans, Edward L. Jones, Christy L. Chatmon Computer and Information Sciences Department.

Inquiry Workshops: Integrating Research and Writing across the K-20 Curriculum Tracy Shaw, Squalicum High School Darilyn Sigel, Whatcom Middle School Sylvia.

Building Security In: Injecting Security throughout the Undergraduate Computing Curriculum PROBLEM STATEMENT  Secure coding is more important than ever.

Intro to Outcomes. What is “Outcomes”? A. a statewide initiative aimed at improving learning and accountability in education B. a standing SFCC committee.

OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.

Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools.

IDEA STUDENT EVALUATION REPORTS Insight Improvement Impact ® Using IDEA as a Tool for Reflection about Your Teaching Raritan Valley Community College January.

Building Security In January 2009 Workshop Harry Hochheiser, Building Security In: January 2009 Workshop Harry Hochheiser Towson.

CS 161 Computer Science I Andrew Scholer

“I did find that my students benefited from the system – they were able to do a lot more homework problems, giving them more time to practice the topics.

Building Security In: Workshop – August 2009 Anne Arundel Community Bowie State University Community College of Baltimore County Harford Community College.

Information Seeking Behavior and Information Literacy Among Business Majors Casey Long Business Liaison Librarian University Library Georgia State University,

Teaching Peer Review of Writing in a Large First-Year Electrical and Computer Engineering Class: Comparison of Two Methods Michael Ekoniak Molly Scanlon.

Mary Ann Roe e-Colorado Portal Coordinator Colorado Department of Labor and Employment Jennifer Jirous Computer Information Systems Faculty Pikes Peak.

So many questions, so little time!. The challenge: Despite giving students rubrics (pre-assignment) and despite giving them detailed feedback on analysis.

SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.

Assessment and Evaluation of CAREER Educational Components Center for Teaching Advancement and Assessment Research.

“Cool” Cybersecurity Modules: No Grading Required!

Security Autodesk DevDays rEvolution

Individualized research consultations in academic libraries: Useful or useless? Let the evidence speak for itself Karine Fournier Lindsey Sikora Health.

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Math Curriculum Elementary Grades

PNAIRP 2009 Portland, OR A New Web-Based Tool for Assessing the Student Experience in Learning Communities.

It Takes a Community to Cultivate the Assessment Crop

Teaching Accessibility: Three Case Studies

WWW安全國立暨南國際大學資訊管理學系陳彥錚.

Teaching Accessibility: Three Case Studies

Student Research Conference 2019

Presentation transcript:

Building Security In: Injecting Security throughout the Undergraduate Curriculum Towson University and Bowie State University Partnered with Anne Arundel Community College Community College of Baltimore County Harford Community College

Overview Project Goals and Motivations Importance of Security Security Tracks and classes – Too little too late – Insecure coding techniques Security Injections – Early and often – Minimally invasive

Overview Security Injection Modules Secure coding “big three” – Integer overflow – Buffer overflow – Input validation CIS0 (Computer Literacy) – Phishing – Passwords – Cryptography Format of modules 1.Background – description, risk, examples 2.Lab Assignment 3.Checklist 4.Discussion Questions – Java/C++ versions

Security Injection Details Develop & Pilot Towson University Bowie State University Deploy -AACC, Harford, CCBC TU and BSU assess and revise MAISA recreates

Security Injection Details CS0,CS1, & CS2 CIS0 (Computer Literacy) Dbase Web –Fall 2010 at TU Networking –Fall 2010 at BSU

Process – How can you participate? 1.Administer Security Survey 2.Introduce Security Injections in class 3.Administer Security Survey 4.Complete Faculty Survey

Progress More students – Over 20 sections integrated, 4 courses, 5 institutions More faculty – Summer workshop => +12 new participants – TU – Computer Literacy => + 3 new participants – Jan workshop => +5 new participants – Feb at Bowie => +7? New partipcants Outreach – 2 papers at CISSE, Seattle Cross-site Security Integration: Preliminary Experiences across Curricula and Institutions Cooperative Information Assurance Capacity Building – SIGCSE Birds of Feather with UNCC, Syracuse, Northern Kentucky, East Washington NSF showcase

Outreach 2 papers at CISSE, Seattle – Cross-site Security Integration: Preliminary Experiences across Curricula and Institutions – Cooperative Information Assurance Capacity Building SIGCSE – Birds of Feather with UNCC, Syracuse, Northern Kentucky, East Washington – NSF showcase

Progress Quantitative Results - mixed – Between sections, no significant improvement – Next analysis – summer 2010 – CS0 - Split section – still being analyzed – Posttest scores for CS0-CS2 students significantly higher than graduating seniors Qualitative – Students find checklists easy to use – More discussion?

Progress from Year 1: Survey Responses 23 sections, 16 integrated. – CS 0 3/3 – CS 1 5/7 – CS 2 3/5 – CIS0 1/5 S TUDENT I NSTITUTIONS – B OWIE S TATE 13.2% – CCBC5.6% – H ARFORD CC11.4% – T OWSON 69.6 S TUDENT G ENDER – M ALE 70% – F EMALE 30% S TUDENT E THNICITY – W HITE 58% – B LACK 26% – A SIAN 7% – H ISPANIC 2% – O THER 6% S TUDENT S TANDING – F RESHMAN 26% – S OPHOMORE 29% – J UNIOR 28% – S ENIOR 12% – O THER 5% S TUDENT M AJOR – C OMPUTER S CIENCE 25.3% – C OMPUTER I NFO S YS 29.4% – M ATH 6.3% – U NDECIDED 3.4% – O THER 35.0%

11 Progress from Year 1 Pretest->posttest data PREPOST All All S CS0S CS CS1S CS CS2S CS0S

Results Faculty Surveys 13 faculty for spring 09 and fall How would you rate the student interest in the security materials? Not very interested Extremely interested  Most answered between 3 and 4 2. How well were you able to incorporate these materials in your class? Very troublesome No problems at all  Most answered between 4 and 5 3. Did time spent on these topics take detract from other topics that you might have covered? Not at all Significantly  10/13 answered 1 4. Did the materials help you with your level of confidence in teaching the security concepts? Not at all helpful Very helpful  All felt the materials helped their level of confidence 5. Would you recommend these materials or this approach to a colleague? Definitely not Absolutely  10/13 answered 5

Student feedback on checklists DisagreeNeutralAgree The checklists were easy to use 3.85%26.92%69.23% The checklists helped me understand the concepts 8.00%28.00%64.00% Checklists helped me understand vulnerabilities 12.00%40.00%48.00% I would like to use checklists in future classes 17.39%43.48%39.13% I liked the labs with checklists more than others 25.00%45.83%29.17% I learned more from the labs with checklists 18.18%40.91% The checklists increased discussion 26.09%34.78%39.13%

Progress from Year 1 What worked With the detailed background information, the students were able to work mostly on their own without having to spend a lot of class time discussing the issues. The idea that we can put them in the lab without much changes. I also liked that the injection was subtle without me talking to the class too much about it, they could link it to coursework implicitly. After multiple exposure to the checklists, students seemed to get the hang of it. In project after the topic, security was routinely brought up as something to make projects complete. So they are thinking about it What didn’t timing was a problem Too long Many students (esp. CIS students) had a difficult time connecting the programming issues to what is really happening Students skipping background information One thing, you do not show "hints" or "working examples" that do work for some of the possible errors. (Only some)

How can we improve? More students + more institutions Getting faculty involved Feedback on modules Increase security awareness More split sections Specific exercises on quizzes/exams for content

Plans for Year 2 CS0 – Deploy TU – Pilot/Deploy BSU – Pilot partners CS1 – Deploy TU – Pilot/Deploy BSU – Pilot partners CS2 – Pilot/Deploy TU – Pilot BSU CIS0 – Pilot TU/Deploy BSU – Pilot partners – Pilot AACC CISDB – TU – pilot/deploy Summer 2010 – workshop at Harford?

Questions Feedback – Changes to modules – Usage of modules Timing of modules Participation – How can we get colleagues to adopt? – What project/institutional support is needed? – Any issues specific to your context that we should know about? Brainstorm – Web – Database

Question (cont.) What topics would you recommend for web security: – cross-site scripting – injection flaws / SQL injection – insecure direct object reference – malicious file execution – cross site request forgery – broken authentication and session management – insecure cryptographic storage – insecure communications – failure to restrict URL access 2010 top 10 (reordered) - What languages? – PHP, Java, Rails, JSP, ASP.Net