XSS for the Masses: Integrating Security in a Web Programming Course using a Security Scanner

by   Lwin Khin Shar, et al.

Cybersecurity education is considered an important part of undergraduate computing curricula, but many institutions teach it only in dedicated courses or tracks. This optionality risks students graduating with limited exposure to secure coding practices that are expected in industry. An alternative approach is to integrate cybersecurity concepts across non-security courses, so as to expose students to the interplay between security and other sub-areas of computing. In this paper, we report on our experience of applying the security integration approach to an undergraduate web programming course. In particular, we added a practical introduction to secure coding, which highlighted the OWASP Top 10 vulnerabilities by example, and demonstrated how to identify them using out-of-the-box security scanner tools (e.g. ZAP). Furthermore, we incentivised students to utilise these tools in their own course projects by offering bonus marks. To assess the impact of this intervention, we scanned students' project code over the last three years, finding a reduction in the number of vulnerabilities. Finally, in focus groups and a survey, students shared that our intervention helped to raise awareness, but they also highlighted the importance of grading incentives and the need to teach security content earlier.


page 1

page 2

page 3

page 4


Evaluating the Impact of ChatGPT on Exercises of a Software Security Course

Along with the development of large language models (LLMs), e.g., ChatGP...

Using Comics to Introduce and Reinforce Programming Concepts in CS1

Recent work investigated the potential of comics to support the teaching...

Structuring a Comprehensive Software Security Course Around the OWASP Application Security Verification Standard

Lack of security expertise among software practitioners is a problem wit...

Secure Web-Based Student Information Management System

The reliability and success of any organization such as academic institu...

Securing Bring-Your-Own-Device (BYOD) Programming Exams

Traditional pen and paper exams are inadequate for modern university pro...

Designing a Security System Administration Course for Cybersecurity with a Companion Project

In the past few years, an incident response-oriented cybersecurity progr...

Raising Security Awareness using Cybersecurity Challenges in Embedded Programming Courses

Security bugs are errors in code that, when exploited, can lead to serio...

Please sign up or login with your details

Forgot password? Click here to reset