Authentic Learning Modules for DevOps Security Education

DevOps 安全教育的真实学习模块

• 批准号: 2209637
• 负责人: Fan Wu
• 金额: $ 12万
• 依托单位: Tuskegee University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-06-15 至 2025-05-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2209637&HistoricalAwards=false
• 关键词: Authentic; Learning; Modules; DevOps; Security

Information technology (IT) organizations use development and operations (DevOps) to deliver software-based services rapidly to end-users. During software development, various documents are often created. These materials, referred to as software artifacts, may include design documents, source code, risk assessments, and other project plans or documentation. Software artifacts used in DevOps yield tremendous benefits for IT organizations. However, without the secure development of these artifacts, deployed software can contain security vulnerabilities which malicious users can exploit to cause serious consequences for organizations. Therefore, students who are poised to become next-generation professionals need to be educated on (i) the consequences of security weaknesses that are commonplace in DevOps artifacts and (ii) how security weaknesses can be mitigated through secure development. This project aims to create an engaging and motivating learning environment that encourages all computer science students to learn cybersecurity integration into artifacts used for DevOps. The project has the potential to transform computer science education in the cross-cutting areas of software engineering and cybersecurity and grow a cybersecurity workforce that is well-versed in secure software development practices and techniques. Principal investigators from Tennessee Tech University, Kennesaw State University, and Tuskegee University will collaborate on developing and deploying authentic learning-based modules for DevOps security education (ALAMOSE). The ALAMOSE project will leverage authentic learning, which provides students with practical knowledge to solve real-world problems. Pre-lab content dissemination, hands-on exercise, and post-lab activities will be included. The modules will be deployed in existing cybersecurity, software engineering, and IT system security courses across the three institutions, potentially impacting students from diverse backgrounds. Faculty workshops and outreach webinars will be employed to promote the adoption of the modules and to gather and present lessons learned and experiential feedback. In addition, the modules will be available to educators nationwide through code and container sharing platforms, such as GitHub and DockerHub. This project is supported by the Secure and Trustworthy Cyberspace (SaTC) program, which funds proposals that address cybersecurity and privacy, and in this case specifically cybersecurity education. The SaTC program aligns with the Federal Cybersecurity Research and Development Strategic Plan and the National Privacy Research Strategy to protect and preserve the growing social and economic benefits of cyber systems while ensuring security and privacy.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

信息技术 (IT) 组织使用开发和运营 (DevOps) 快速向最终用户提供基于软件的服务。在软件开发过程中，经常会创建各种文档。这些材料称为软件工件，可能包括设计文档、源代码、风险评估和其他项目计划或文档。 DevOps 中使用的软件工件为 IT 组织带来了巨大的好处。然而，如果没有这些工件的安全开发，部署的软件可能包含安全漏洞，恶意用户可以利用这些漏洞给组织造成严重后果。因此，准备成为下一代专业人士的学生需要接受以下方面的教育：(i) DevOps 工件中常见的安全漏洞的后果，以及 (ii) 如何通过安全开发来缓解安全漏洞。该项目旨在创建一个有吸引力和激励性的学习环境，鼓励所有计算机科学专业的学生学习将网络安全集成到用于 DevOps 的工件中。该项目有潜力改变软件工程和网络安全交叉领域的计算机科学教育，并培养精通安全软件开发实践和技术的网络安全劳动力。来自田纳西理工大学、肯尼索州立大学和塔斯基吉大学的主要研究人员将合作开发和部署用于 DevOps 安全教育 (ALAMOSE) 的真实的基于学习的模块。阿拉莫斯项目将利用真实的学习，为学生提供解决现实世界问题的实践知识。将包括实验前内容传播、实践练习和实验后活动。这些模块将部署在三个机构现有的网络安全、软件工程和 IT 系统安全课程中，可能会影响来自不同背景的学生。将举办教师研讨会和外展网络研讨会来促进模块的采用，并收集和展示经验教训和经验反馈。此外，这些模块将通过代码和容器共享平台（例如 GitHub 和 DockerHub）向全国教育工作者开放。 该项目得到安全可信网络空间 (SaTC) 计划的支持，该计划资助解决网络安全和隐私问题的提案，在本例中特别是网络安全教育。 SaTC 计划与联邦网络安全研究与发展战略计划和国家隐私研究战略相一致，旨在保护和维护网络系统不断增长的社会和经济效益，同时确保安全和隐私。该奖项反映了 NSF 的法定使命，并被认为值得获得通过使用基金会的智力优势和更广泛的影响审查标准进行评估来提供支持。

项目成果

Investigating Novel Approaches to Defend Software Supply Chain Attacks

研究防御软件供应链攻击的新方法

• 发表时间: 2022
• 期刊: 2022 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW
• 作者: Faruk, M.;Tasnim, M.;Shahriar, H.;Valero, M.;Rahman, A.;Wu, F.
• 通讯作者: Wu, F.

Case Study-Based Approach of Quantum Machine Learning in Cybersecurity: Quantum Support Vector Machine for Malware Classification and Protection

基于案例研究的网络安全量子机器学习方法：用于恶意软件分类和保护的量子支持向量机

• DOI: 10.1109/compsac57700.2023.00161
• 发表时间: 2023
• 期刊: and Applications Conference (COMPSAC
• 作者: Akter, Mst Shapna;Shahriar, Hossain;Iqbal Ahamed, Sheikh;Datta Gupta, Kishor;Rahman, Muhammad;Mohamed, Atef;Rahman, Mohammad;Rahman, Akond;Wu, Fan
• 通讯作者: Wu, Fan

Practitioner Perceptions of Ansible Test Smells

从业者对 Ansible 测试气味的看法

• DOI: 10.1109/icsa-c57050.2023.00074
• 发表时间: 2023
• 期刊: 023 IEEE 20th International Conference on Software Architecture Companion (ICSA-C
• 作者: Zhang, Yue;Wu, Fan;Rahman, Akond
• 通讯作者: Rahman, Akond

Security Risk and Attacks in AI: A Survey of Security and Privacy

• DOI: 10.1109/compsac57700.2023.00284
• 发表时间: 2023-06
• 期刊: 2023 IEEE 47th Annual Computers, Software, and Applications Conference (COMPSAC)
• 作者: Md Mostafizur Rahman;Aiasha Siddika Arshi;Md. Golam Moula Mehedi Hasan;Sumayia Farzana Mishu;Hossain Shahriar-Hossain-Sh

Authentic Learning Approach for Artificial Intelligence Systems Security and Privacy

人工智能系统安全和隐私的真实学习方法

• DOI: 10.1109/compsac57700.2023.00151
• 发表时间: 2023
• 期刊: and Applications Conference (COMPSAC
• 作者: Akter, Mst Shapna;Shahriar, Hossain;Lo, Dan;Sakib, Nazmus;Qian, Kai;Whitman, Michael;Wu, Fan
• 通讯作者: Wu, Fan