Structuring a Comprehensive Software Security Course Around the OWASP Application Security Verification Standard

by   Sarah Elder, et al.

Lack of security expertise among software practitioners is a problem with many implications. First, there is a deficit of security professionals to meet current needs. Additionally, even practitioners who do not plan to work in security may benefit from increased understanding of security. The goal of this paper is to aid software engineering educators in designing a comprehensive software security course by sharing an experience running a software security course for the eleventh time. Through all the eleven years of running the software security course, the course objectives have been comprehensive - ranging from security testing, to secure design and coding, to security requirements to security risk management. For the first time in this eleventh year, a theme of the course assignments was to map vulnerability discovery to the security controls of the Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS). Based upon student performance on a final exploratory penetration testing project, this mapping may have increased students' depth of understanding of a wider range of security topics. The students efficiently detected 191 unique and verified vulnerabilities of 28 different Common Weakness Enumeration (CWE) types during a three-hour period in the OpenMRS project, an electronic health record application in active use.


page 1

page 7


Designing a Security System Administration Course for Cybersecurity with a Companion Project

In the past few years, an incident response-oriented cybersecurity progr...

XSS for the Masses: Integrating Security in a Web Programming Course using a Security Scanner

Cybersecurity education is considered an important part of undergraduate...

Evaluating the Impact of ChatGPT on Exercises of a Software Security Course

Along with the development of large language models (LLMs), e.g., ChatGP...

Senior Project Management System: Requirements, Specification, and Design Issues

Senior project is a typical essential course in computing educational pr...

Towards an Insightful Computer Security Seminar

In this paper we describe our experience in designing and evaluating our...

Learning Software Quality Assurance with Bricks

Software Quality Assurance (SQA) and Software Process Improvement (SPI) ...

Please sign up or login with your details

Forgot password? Click here to reset