Towards Personalizing Secure Programming Education with LLM-Injected Vulnerabilities

TL;DR

This paper explores using LLMs to inject personalized security vulnerabilities into students' code to enhance engagement and understanding in secure programming education.

Contribution

It introduces an agentic AI framework for embedding specific CWEs into student code and evaluates its impact in undergraduate courses.

Findings

Students found personalized CWE injections more relevant and engaging.

Quantitative results showed limited statistically significant differences.

Further refinement is needed to strengthen empirical support.

Abstract

According to constructivist theory, students learn software security more effectively when examples are grounded in their own code. Generic examples often fail to connect with students' prior work, limiting engagement and understanding. Advances in LLMs are now making it possible to automatically generate personalized examples by embedding security vulnerabilities directly into student-authored code. This paper introduces a method that uses LLMs to inject instances of specific Common Weakness Enumerations (CWEs) into students' own assignment code, creating individualized instructional materials. We present an agentic AI framework, using autonomous LLM-based agents equipped with task-specific tools to orchestrate injection, evaluation, ranking, and learning outcome generation. We report the experience of deploying this system in two undergraduate computer science courses (N=71), where students reviewed code samples containing LLM-injected vulnerabilities and completed a post-project survey. We compared responses with a baseline using a widely adopted set of generic security instructional materials. Students qualitatively reported finding CWE injections into their own code more relevant, clearer, and more engaging than the textbook-style examples. However, our quantitative findings revealed limited statistically significant differences, suggesting that while students valued the personalization, further studies and refinement of the approach are needed to establish stronger empirical support.