Structuring a Comprehensive Software Security Course Around the OWASP Application Security Verification Standard
Sarah Elder, Nusrat Zahan, Val Kozarev, Rui Shu, Tim Menzies, Laurie, Williams
TL;DR
This paper shares insights from eleven years of teaching a comprehensive software security course, highlighting how integrating the OWASP ASVS into assignments enhances students' understanding and practical vulnerability detection skills.
Contribution
It introduces a novel course assignment approach that maps vulnerabilities to OWASP ASVS controls, improving security education effectiveness.
Findings
Students detected 191 vulnerabilities in three hours
Mapping to OWASP ASVS improved understanding of security controls
Students identified 28 CWE types during practical testing
Abstract
Lack of security expertise among software practitioners is a problem with many implications. First, there is a deficit of security professionals to meet current needs. Additionally, even practitioners who do not plan to work in security may benefit from increased understanding of security. The goal of this paper is to aid software engineering educators in designing a comprehensive software security course by sharing an experience running a software security course for the eleventh time. Through all the eleven years of running the software security course, the course objectives have been comprehensive - ranging from security testing, to secure design and coding, to security requirements to security risk management. For the first time in this eleventh year, a theme of the course assignments was to map vulnerability discovery to the security controls of the Open Web Application Security…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.