What are Security Injections?
Computer Security resents a challenge for educators in Computer Science and related fields. Although the need is clear, room for addressing security concerns is often lacking in computing curricula, and appropriate materials may be hard to find.
One approach to computer security education is the addition of new courses to the existing undergraduate course profile. Although relatively straightforward, this model has two significant drawbacks:
- Lack of time: Computing undergraduates are faced with a dizzying array of courses and requirements. New courses will add further constraints to majors that may already be seen as being overly restrictive.
- Lack of context: In relegating computer security to a stand-alone course, educators run the risk of implying that security is somehow an activity unto itself, as opposed to a concern that transcends many other computing topics.
Security injections address both of these concerns by building security in to existing courses, throughout the undergraduate computing curricula. As self-contained lab-based modules that challenge students to reflect upon security issues, these injections can be adapted for and adopted in courses ranging from introductory computer science to databases, networks, and web development.
Security injections cover a range of topics including integer overflow, buffer overflow, input validation, and risk analysis. Each injection contains the following components:
- Background materials include a concise description of the module topic, the risk involved, a real world example, and some short non-programming exercises that students can complete.
- Laboratory/Homework Assignments provide active and engaging learning experiences, challenging students to "learn by doing". They also provide motivation by presenting meaningful concepts in an engaging manner.
- Security Checklists: Checklists are used in many applications most notably in aviation safety - to reduce the likelihood of human error. While pre-flight checklists have been considered a key method in improving airline safety, checklists are increasingly used in software assurance. Well-developed checklists serve as reminders list and help ensure consistency and completeness. A security checklist is a well-defined set of procedures for identifying potential security concerns. Students will be asked to apply security checklists to programs or program fragments including code that they may have written as part of the lab assignment. By requiring students to complete a concrete series of steps in a specified order, security checklists reduce the likelihood of omitting a key security feature and provide a quantifiable list of criteria. Checklists act as a form of self-assessment, reinforcing security principles and helping students internalize key concepts through critical reflection.
- Discussion questions ask the students to reflect upon the concepts introduced in the assignment and checklist, encouraging consideration of the various kinds of risks and how they might be mitigated. The inclusion of discussion and feedback questions requires students to reflect upon the process, the results, and the security implications of the new concept
- Security Scorecards contain the same content as checklists, but they are used by the instructor or a grader for a consistent means of evaluation and assessment.
Initial experience with these techniques indicates that injections can help increase awareness of computer security concerns.