Games for Developer-Centred Security

Table of Contents

The cyber security context requires to better understand how developers write (in)secure code and to assist them in their software developments. To investigate how to help developers build more secure software, we aim to identify activities that could effectively persuade developers to improve their cybersecurity skills and increase the security of their code. We want in particular to investigate the impact gamification and serious games have on secure coding training. A recent study has explored the software development security skills of GitHub users [AcaStrWerMazFah_SOUPS-2017]. In this online experiment, the participants were invited to undertake three secure programming exercises, their programming was then evaluated with regard to security properties. The experiment revealed that the self-reported security knowledge level or the self-reported professional or student status was not statistically related to security grading of their programming solutions. Coding games such as Code Hunt are being adapted for secure coding [XieBisTildHa_HotSoS-2015] or testing training [RojWhiCleFra_ICSE-2017], while secure coding competitions such as Build It, Break It, Fix It are organised as a Catch The Flag game [RueHicParLevMazMar_CCS-2016]. This raises the following questions:

Do not hesitate to contact Manuel Maarek if you are interested in this research.

Impact of Gamification on Developer-Centred Security

In this NCSC-RISCS project, we have developed a secure coding experiment and serious game intervention [GALA-2018]. The project lead by Manuel Maarek was a collaboration between Heriot-Watt University and the Glasgow School of Art:

  • Manuel Maarek (Heriot-Watt University)
  • Léon McGregor (Heriot-Watt University)
  • Sandy Louchart (Glasgow School of Art)
  • Ross McMennemy (Glasgow School of Art)

The online game embeds a set of programming exercises in a tower defence game which design reflects on the purposes of the programming tasks.

Game screenshot gameplay

Figure 1: Gameplay

Game screenshot upgrades

Figure 2: Game upgrades

Programming screenshot menu

Figure 3: Programming menu

Programming screenshot environment

Figure 4: Programming environment

Contact Manuel Maarek if you are interested in this experiment.

Publications and References

[GALA-2018]
Manuel Maarek, Sandy Louchart, Léon McGregor, and Ross McMenemy. Co-created design of a serious game investigation into developer-centred security. In Games and Learning Alliance, 7th International Conference (GALA 2018), Palermo, Italy, 2018. To appear.
[AcaStrWerMazFah_SOUPS-2017]
Yasemin Acar, Christian Stransky, Dominik Wermke, Michelle L. Mazurek, and Sascha Fahl. Security Developer Studies with GitHub Users: Exploring a Convenience Sample. In Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017), 2017.
[RojWhiCleFra_ICSE-2017]
José Miguel Rojas, Thomas D. White, Benjamin S. Clegg, and Gordon Fraser. Code Defenders: Crowdsourcing Effective Tests and Subtle Mutants with a Mutation Testing Game. In Proceedings of the 39th International Conference on Software Engineering, ICSE '17, pages 677–688, Piscataway, NJ, USA, 2017. IEEE Press.
DOI ]
[RueHicParLevMazMar_CCS-2016]
Andrew Ruef, Michael Hicks, James Parker, Dave Levin, Michelle L. Mazurek, and Piotr Mardziel. Build It, Break It, Fix It: Contesting Secure Development. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS '16, pages 690–703, New York, NY, USA, 2016. ACM.
DOI ]
[XieBisTildHa_HotSoS-2015]
Tao Xie, Judith Bishop, Nikolai Tillmann, and Jonathan de Halleux. Gamifying Software Security Education and Training via Secure Coding Duels in Code Hunt. In Proceedings of the 2015 Symposium and Bootcamp on the Science of Security, HotSoS '15, pages 26:1–26:2, New York, NY, USA, 2015. ACM.
DOI ]