2014 HUIC Education & STEM Conference
Honolulu, Hawaii June 16-18, 2014
What approaches work best for teaching secure
coding practices?
ABSTRACT
The same vulnerabilities continue to appear in code, over and
over again, yet many educational institutions continue to
teach programming as they always have. Some high-tech
companies have found it necessary to establish ongoing
security training for their developers to make up for the
absence of college-level, secure coding curriculum. Recently,
the thread model, which integrates security concepts into
existing Computer and Information Science curricula, has
been recognized as effective, while not impacting resource-
limited institutions with a complete curriculum change.
Using the thread approach, we developed curricula inserts
that include a programming assignment using a threat
modeling tool, a design assignment applying a secure
software development life cycle, a study comparing non-
secure with secure code, and a re-documentation technique
that produces secure code from non-secure programs. We
introduced these curriculum assets during a secure coding
workshop for instructors. Their responses to assessment
surveys provide insight into what approaches work best.
Index terms: Secure Coding, Thread Teaching Model, Secure
Coding Workshop
I. INTRODUCTION
It is estimated that 90 percent of reported security
incidents result from exploits against defects in the
design or code of commonly used software [1].
Sam Chung, Ph.D., Associate Professor, Institute of
Technology, University of Washington Tacoma.
Leo Hansel, MS, Institute of Technology, University of
Washington Tacoma.
Yan Bai, Ph.D., Associate Professor, Institute of Technology,
University of Washington Tacoma
Elizabeth Moore, Ph.D., Principle Evaluator, Applied
Inference, Seattle, Washington.
Carol Taylor, Ph.D., Associate Professor, Eastern
Washington University, Cheney, Washington.
Martha Crosby, Ph.D., Professor, University of Hawaii
Manoa, Honolulu, Hawaii.
Rachelle Heller, Ph.D., Professor, George Washington
University, Washington, D.C.
Viatcheslav Popovsky, Ph.D., Affiliate Professor, Center for
Ethics, University of Idaho, Moscow, Idaho.
Barbara Endicott-Popovsky, Ph.D., Director for the Center
of Information Assurance and Cybersecurity, Research
Associate Professor, University of Washington, Seattle.
According to Symantec’s vulnerability trend analysis,
the total number of vulnerabilities is on the rise, from
4,814 in 2009 to 6,253 in 2010—a 30% increase [2]. By
improving the education of computer scientists to
include secure coding practices, we could expect
significant reduction in the number of software
vulnerabilities produced in code.
There have been three well-documented approaches to
teaching secure coding techniques [3, 4]: 1) the single-
course approach, 2) the track approach, and 3) the thread
approach. The single-course approach is as its name
implies—the introduction of a single course on secure
coding practices, generally at the end of an
undergraduate program. The track approach is similar.
Several additional courses, instead of just one, are added
to existing curriculum, to create a concentration that
provides a more in-depth understanding. The thread
approach, in contrast, recommends integration of
security concepts across existing Computer Science (CS)
and Information Systems (IS) curriculum.
The thread approach has been recognized as
pedagogically more effective, while at the same time not
impacting resource-limited institutions unnecessarily
with the overhead of making a complete curriculum
change [5]. Adopting a thread approach, institutions need
only a small budget to upgrade curriculum to include
secure coding concepts, and faculty members need only
to spend a small amount of time to make needed changes
[4]. There is no need to introduce completely new
courses that require a lengthy internal curriculum review
process that may slow implementation. Several
successful attempts at the thread approach have been
reported [4, 5].
In spite of reported success, many faculty members find
it too time consuming to make the needed curricular
improvements. Others are unsure about how to
incorporate secure coding concepts into existing courses.
Still others are simply unaware.
Sam Chung, Leo Hansel, Yan Bai, Univ. of Washington Tacoma, Elizabeth Moore, Applied Inference, Carol Taylor,
Eastern Washington Univ., Martha Crosby, Univ of Hawaii Manoa, Rachelle Heller, George Washington University
Viatcheslav Popovsky, Univ. of Idaho, and Barbara Endicott-Popovsky, Univ. of Washington, Seattle
