arXiv:2102.10431v1 [cs.SE] 20 Feb 2021 h epewihsol euigte,ie otaedevelop software by i.e. known them, them using make be to should needed which is people methodology the good a chosen, di for scarce. guidelines are coding languages secure programming guideline abstract low-level exist secure accepted, there guidelines while these widely black-art: coding of a secure like side, aware bit one a guidelin be the coding On must secure practices. fi developers of coding set software aspects: a second on different based and two be must implies coding softw secure the This in methodology process. coding secure development a of usage the mandate in,ly u oersac usin htadesbt th both address that questions research some out lays tions, use (SCG). are to guidelines challenges is coding individual vision secure the on where our based approach industry, game the serious in a developers [9]. software SEI-Java of CERT [8], secure SEI-C CERT of [7], language-specific set MISRA-C programming clear or as guide [6], such and abstract OWASP flavors: defined as two such well in lines, a come These is guidelines. this development. coding for product for basis such, used The i As being code etc. secure how language write with [5], and programming familiar pit-falls 800-39 and security avoid trained SP develop, such be to NIST to compliance, [4], need to developers 27k software subject [3], are 62.443 companies as which to dards, education cybersecurity thi an of of [2]. root points topic awareness the its the of at one addresses issues and development, initiative Security products product IT in its stages tackle of early to Security order IT In th to services. address related to concerns companies leading growing several by undertaken being uiy nutysadr,ifrainsses industry capture-the-flag systems, games, information standard, industry curity, otaedvlpraaeesfrscr oiguigserio raise using to coding how secure on and for guidelines games. awareness coding developer secure quest on research choose software staff Tr important to of train of how "Charter overview to on initiative an mandate presents industry paper global the this the by by security also IT and standards industry nteohrsd,oc e fscr oiggieie is guidelines coding secure of set a once side, other the On Abstract hswr,bsdo u nutyeprec n observa- and experience industry our on based work, This awareness Security IT raising of issue the tackle to order In stan- industry several by mandated also is aspect This is which initiative global a is [1] Trust of Charter The ne Terms Index from requirements coding secure the by both Motivated asn eueCdn wrns o Software for Awareness Coding Secure Raising Mn nutilI euiysadrsadpolicies and standards security IT industrial —Many scrt oiy euecdn,gieie,I se- IT guidelines, coding, secure policy, —security [email protected] .I I. imn G München AG, Siemens NTRODUCTION ig Gasiba Tiago eeoesi h Industry the in Developers htare that s serious , fferent seems the n ust", ions and ers. rst, are es, us d e e s - .I euiyAaeesTraining Awareness Security IT for B. proposal SCG. a derive present to we methodology III possible Section a SCG In about games. given awareness a serious raising for using on (e.g. and SCG language) define programming and derive systematically to how SC of guidelines selection industry. coding incoherent the and secure across non-uniform accepted a define is internal to results of This needing set companies SCG own to many and their leads too diversity standardization (2) This of SCG, SCG/recommendations. lack of conflicting lack (3) (1) or in result can guidelines rmiglnug hti infiatymr eueta any than pro secure one lan- more really programming significantly isn’t is there existing that that and shown language been gramming established has well It [10]. of guages set a to nhwt as wrns bu euecdn ae nthese on based top coding the secure about also guidelines. awareness but raise guidelines to how coding on secure selecting of topic rlmnr eut n uuework. future and and pre guidelines IV results Section coding preliminary Finally secure questions. research derive our to present also method a propose we htteei akn eea osnu n standardizat fact and the consensus of general light SCG. a in of lacking understood a be is can there this that requirement - guideli The coding adopted secure be guidelines. which should about coding indication secure clear explic no of gives even usage or practices the coding itly secure mandate which dards, Guidelines Coding Secure A. otebs forkolde hr sn rvoswr on work previous no is there knowledge, our of best the To coding secure for quest the that shown has experience Our otaedvlpeti h nutyi omlybound normally is industry the in development Software eto Iotie h urn tt fteat nScinI Section In art. the of state current the outlines II Section al hw xepsfo he rmnn nutystan- industry prominent three from excerpts shows I Table AL :Scr oigRqieet rmStandards from Requirements Coding Secure I: TABLE nvriä e udserMünchen Bundeswehr der Universität 62443-4-1 Standard ITSP NIST 800-39 27002 [email protected] lieLechner Ulrike euecdn ehius[...] techniques ... coding employ secure engineers security system Information [...] programming [...] each used for language guidelines coding secure [...] [...] coding security incorporate [...] text Requirement I S II. AEO THE OF TATE A RT sents nes ion G ic II - - . another [11] - vulnerabilities appear across all programming While the published work until now shows good indicators languages. of the suitability of this approach, it has been (1) focused on Therefore, it makes sense to focus efforts on raising aware- a different target group than the one we wish to address, e.g. ness of software developers on how to write secure code. pentesters or security experts and (2) focused on general IT According to Benenson [2], awareness can help to improve the security awareness, e.g. email and password handling. understanding of the issues, to better identify the issues and to However, our target group are software developers for the act accordingly to the issues. Furthermore Graziotin [12] has industry and the content of the training is specific to secure shown a correlation between developer happiness and source coding. Nevertheless, we also hypothesize that an adapted code quality. serious games of the type CTF can also be effectively used One training methodology therefore that seems to be well to raise secure coding awareness of software developers. Our suited is by using serious games [13], in particular if based assumption is based on the positive indicators from similar on Capture-the-Flag (CTF). work, but also on the following facts: (1) participants typically enjoy playing CTF games (Kees et al. [19]) and (2) happy III. RESEARCH TOPICS developers write better code (Graziotin et al. [12]). In the previous sections, we have briefly presented the importance of secure coding guidelines both to fulfill in- C. Research Questions dustry standards and policies and also as a basis for IT This short paper has briefly shown how important secure security awareness for software developers. Unfortunately not coding guidelines are for the industry and also for raising all programming languages have widely agreed secure coding software developer awareness on the topic of secure coding. guidelines, which leads to companies having to define their However, it does also raise some further important questions own. In the following, we propose a method to systematically that need additional research. These questions include: derive secure coding guidelines. Furthermore, with the goal of Q1 What is the current state of usage of SCG across the raising secure coding awareness we present possible research industry? questions to achieve this goal. Q2 How to can SCG be systematically derived? Q3 How to raise awareness about SCG for software devel- A. Systematic Derivation of Secure Coding Guidelines opers in the industry by means of CTF serious games? Given a vulnerability database, such as [14], we propose The first research question Q1, should allow us to validate a systematic method to derive secure coding guidelines com- the assumption that our reported experience is also shared prising the following steps: among the industry. Question Q2 would help in Q3 when 1) define a business impact metric (BIM) for vulnerabilities secure coding guidelines are missing as input to create a 2) compute the BIM for all vulnerabilities in the database serious game. Due to the derivation of a business metric, it also 3) map vulnerabilities and BIM to language-specific rules allows to rank guidelines by importance to business. Motivated 4) compile the set of rules into secure coding guidelines by the industry problem exemplified in this work, Q3 tries to The BIM is a company-specific metric which shall repre- address it by means of designing a serious game. sent the perceived negative impact of the exploitation of the given vulnerability. This metric shall be aligned with business IV. PRELIMINARY RESULTS AND FUTURE RESEARCH objectives and risk appetite [15] and can include parameters Currently ongoing investigations, based on a requirements such as: impact score (e.g. based on estimated money loss), engineering approach, intend to address the questions pre- probability of occurrence, perceived ease of exploitation, etc. sented in Section III-C. The result aims at contributing on The mapping of vulnerabilities to language-specific rules how to improve IT security awareness, in particular on secure and constructs shall be done between IT security experts and coding topics, of software developers in the industry and, software developers. At this stage, several language-specific as a consequence, lead to improved quality of products and recommendations could result from a single vulnerability. The services. last step is a codification step, which consolidates and abstracts Preliminary results [20] on the requirements for Capture- all the derived recommendations into a catalog of secure the-Flag challenge design give a positive indication that coding guidelines. defensive-style game are appropriate for raising awareness The main advantage of this method is that, due to the about secure coding. Furthermore it confirms the happiness usage of a metric, the resulting secure coding guidelines can and satisfaction of the participants playing the game. Further be prioritized in terms of business importance. This leads to preliminary research suggests that the presented methodology a natural categorization of the most important guidelines to to derive secure coding guidelines can indeed be used as input focus on awareness training programs. to design defensive challenges and also to plan and prioritize a teaching curriculum. B. Secure Coding Awareness for Software Developers Investigations which shall address the research questions Recently, there has been an increased interest on using seri- above and also the architecture of the Capture-the-Flag serious ous games [13] to raise IT security awareness e.g. [16, 17, 18]. game and player engagement are currently underway. REFERENCES [1] Siemens AG. The Charter of Trust Takes a Major Step Forward to Advance Cybersecurity. [Online]. Available: https://www.siemens.com/press/en/feature/2018/corporate/2018-02-cybersecurity.php [2] N. Hänsch and B. Zinaida, “Specifying IT Security Awareness,” 25th International Workshop on Database and Expert Systems Applications, pp. 326–330, 2014. [3] “Security for Industrial Automation and Control Systems - Part 4- 1: Secure Product Development Lifecycle Requirements,” International Electrotechnical Commission, Standard, 01 2018. [4] “ISO/IEC 27002:2013. Information Technology – Security Techniques – Code of Practice for Information Security Controls,” International Organization for Standardization, Geneva, CH, Standard, 2013. [5] N. N. I. of Standards and T. J. T. F. T. Initiative, “Sp 800-39. Managing Information Security Risk: Organization, Mission, and Information System View,” Gaithersburg, MD, United States, Tech. Rep., 2011. [6] OWASP OWASP Top 10. (17, June 2019). [Online]. Available: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_(en).pdf.pdf [7] “Guidelines for the Use of the C Language in Critical Systems,” Motor Industry Software Reliability Association, Nuneaton, Warwickshire, UK, Standard, 03 2012. [8] S. E. Institute. SEI CERT C Coding Standard. [Online]. Available: https://wiki.sei.cmu.edu/confluence/display/c/SEI+CERT+C+Coding+Standard [9] ——. SEI CERT Oracle Coding Standard for Java. [Online]. Available: https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java [10] T. S. BV. (2019) TIOBE Programming Community Index. Available at https://www.tiobe.com/tiobe-index/. [11] WhiteSource. What Are the Most Secure Programming Languages? [Online]. Available: https://www.whitesourcesoftware.com/most-secure-programming-languages/ [12] D. Graziotin, F. Fagerholm, X. Wang, and P. Abrahamsson, “What Hap- pens When Software Developers Are (Un)happy,” Journal of Systems and Software, 2017. [13] R. Dörner, S. Göbel, W. Effelsberg, and J. Wiemeyer, Serious Games: Foundations, Concepts and Practice. Springer International Publishing, 2016. [14] M. Corporation. CVE details. [Online]. Available: https://www.cvedetails.com/ [15] ISACA, CISM Review Manual, 15th Edition. Information Systems Audit and Control Association, 2016. [16] T. Awojana and T.-S. Chou, “Overview of Learning Cybersecurity Through Game Based Systems,” in 2019 CIEC. New Orleans, LA: Advances in Engineering Education, 2 2019, https://peer.asee.org/31521. [17] A. Rieb, T. Gurschler, and U. Lechner, “A Gamified Approach to Explore Techniques of Neutralization of Threat Actors in Cybercrime,” 06 2017, pp. 87–103. [18] A. Rieb, “It-sicherheit: Cyberabwehr mit Hohem Spaßfaktor,” kma - Das Gesundheitswirtschaftsmagazin, vol. 23, pp. 66–69, 07 2018. [19] K. Leune and S. J. P. Jr., “Using Capture-the-flag to Enhance the Effectiveness of Cybersecurity Education,” SIGITE’17, pp. 47–52, 10 2017. [20] T. Gasiba, K. Beckers, S. Suppan, and F. Rezabek, “On the Require- ments for Serious Games Geared Towards Software Developers in the Industry,” in submitted for publication: Conference on Requirements Engineering Conference, 2019.