This paper presents the results of in-depth study of 14 teams’ development processes during a three-week undergraduate course organized around a secure coding competition. Contest participants were expected to first build code to a specification---emphasizing correctness, performance, and security---and then to find vulnerabilities in other teams' code while fixing discovered vulnerabilities in their own code. Our study aimed to understand why developers introduce different vulnerabilities, the ways they evaluate programs for vulnerabilities, and why different vulnerabilities are (not) found and (not) fixed. We used iterative open coding to systematically analyze contest data including code, commit messages, and team design documents. Our results point to the importance of existing best practices for secure development, the use of security tools, and development team organization.
[ .pdf ]
@inproceedings{fulton22contest, author = {Kelsey R. Fulton and Daniel Votipka and Desiree Abrokwa and Michelle L. Mazurek and Michael Hicks and James Parker}, title = {Understanding the how and the why: Exploring secure development practices through a course competition}, booktitle = {Proceedings of the {ACM} Conference on Computer and Communications Security (CCS)}, month = oct, year = 2022 }
This file was generated by bibtex2html 1.99.