We created these materials with the expectation that they (or a subset of them) could be used in a closed laboratory setting as part of a CS1 or CS2 course. We have created several serious games that we expect students could play for a few minutes at the start of the laboratory, as a means to get acquainted with the secure coding topic. Students could then complete the laboratory exercises (or a subset of the laboratory exercises), providing an opportunity to learn about a particular secure coding topic in C++/Java. It is important to note that we use secure coding as a context in which to teach various CS topics.
Each of the laboratory exercises contains a well-known coding disaster. While it is not essential to cover this disaster as part of your laboratory, we believe that it adds a sense of realism to the secure coding topic, and helps students to realize that programming securely really does matter.
Ultimately, secure coding is a mindset rather than a particular set of dos and don'ts. But, we believe that students can start to develop a "security mindset" as they begin to learn to program as part of CS1/CS2.
Please note that these materials are copywritten. You are welcome to use these materials in your classes and with your students. If you wish to use these materials for other purposes (for example, as part of an NSF grant application, publishing them somewhere, etc.), you must first request and receive permission.
| Computer Science topic | Secure coding topic | Language | Materials | Game |
|---|---|---|---|---|
| Arrays | Array index out of bounds | C++ | doc, pdf, code | game link |
| Data types | Rounding errors | C++ | docx, pdf, code | |
| Data types | Rounding errors | Java | doc, pdf, code | |
| Functions (using library functions) | Checking return values | C++ | docx, pdf, code | game link |
| Operator precedence | Operator precedence | C++ | docx, pdf, code | game link |
| Parameter passing and the call stack | Buffer overruns | C++ | Stack going up:docx,
pdf Stack going down:docx, pdf code |
game link |
| Representation of integers | Integer overflow | C++ | docx, pdf, code | game link |
| Representation of integers | Integer overflow | Java | docx, pdf, code | game link |
| Strings | Input validation | C++ | doc, pdf, code | game link |
| Exceptions | Input validation | Java | docx, pdf, code | game link |
* This work is supported in part by NSF DUE-1022557. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily represent the views of the National Science Foundation (NSF). See 1022557 for more detail about the award.