Design of Secure Coding Challenges for Cybersecurity Education in the Industry

TL;DR

This paper investigates the design of Capture-the-Flag cybersecurity challenges tailored for industry, proposing six challenge types and a structure to enhance secure coding skills among software developers.

Contribution

It introduces six industry-appropriate challenge types and a structured approach for CTF challenges, including hints and penalties, validated through expert surveys.

Findings

Traditional challenge types are effective in industry contexts.

New challenge classes based on code entry and automated coaching are promising.

Survey results support the proposed challenge design and structure.

Abstract

According to a recent survey with more than 4000 software developers, less than half of developers can spot security holes. As a result, software products present a low-security quality expressed by vulnerabilities that can be exploited by cyber-criminals. This lack of quality and security is particularly dangerous if the software which contains the vulnerabilities is deployed in critical infrastructures. Serious games, and in particular, Capture-the-Flag(CTF) events, have shown promising results in improving secure coding awareness of software developers in the industry. The challenges in the CTF event, to be useful, must be adequately designed to address the target group. This paper presents novel contributions by investigating which challenge types are adequate to improve software developers' ability to write secure code in an industrial context. We propose 1) six challenge types usable in the industry context, and 2) a structure for the CTF challenges. Our investigation also presents results on 3) how to include hints and penalties into the cyber-security challenges. We evaluated our work through a survey with security experts. While our results show that "traditional" challenge types seem to be adequate, they also reveal a new class of challenges based on code entry and interaction with an automated coach.