In a previous publication, we presented the results of an assessment aimed at understanding whether bachelor students in Computer Science (CS) enrolled in a Software Technologies for the Web (STW) course were equipped to manage security concerns in the development of (e-commerce) web apps. The gathered evidence highlighted that students enrolled in this course in a.y. (academic year) 2021-22 were not equipped to develop secure web apps, although they devised security as a relevant development aspect. We then delineated a training plan to fill this gap. In this paper, we present the results from the enactment of this plan and the gained experience. In particular, our training plan involved (CS) bachelor students enrolled in the STW course in the a.y. 2022-23, and one of the implemented actions consisted of asking these students (who were different from those enrolled in the a.y. 2021-22) to use in their development pipeline a Static Analysis Tool (SAT), namely SonarCloud, to detect security concerns. The students were asked to use SonarCloud, but not forced to remove detected security concerns. One of the most important results, deriving from the enactment of our intervention, was that the number of security concerns in the web apps developed in a.y. 2022-23 was significantly less than those developed in a.y. 2021-22. Since software security is nowadays of primary relevance, we must train the next generation of developers to develop secure web apps and let them experience, in university courses, the use of tools to support the development of secure software.
Training for Security: Results from Using a Static Analysis Tool in the Development Pipeline of Web Apps
Nocera S.;Romano S.;Francese R.;Scanniello G.
2024-01-01
Abstract
In a previous publication, we presented the results of an assessment aimed at understanding whether bachelor students in Computer Science (CS) enrolled in a Software Technologies for the Web (STW) course were equipped to manage security concerns in the development of (e-commerce) web apps. The gathered evidence highlighted that students enrolled in this course in a.y. (academic year) 2021-22 were not equipped to develop secure web apps, although they devised security as a relevant development aspect. We then delineated a training plan to fill this gap. In this paper, we present the results from the enactment of this plan and the gained experience. In particular, our training plan involved (CS) bachelor students enrolled in the STW course in the a.y. 2022-23, and one of the implemented actions consisted of asking these students (who were different from those enrolled in the a.y. 2021-22) to use in their development pipeline a Static Analysis Tool (SAT), namely SonarCloud, to detect security concerns. The students were asked to use SonarCloud, but not forced to remove detected security concerns. One of the most important results, deriving from the enactment of our intervention, was that the number of security concerns in the web apps developed in a.y. 2022-23 was significantly less than those developed in a.y. 2021-22. Since software security is nowadays of primary relevance, we must train the next generation of developers to develop secure web apps and let them experience, in university courses, the use of tools to support the development of secure software.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.