Vulnerabilities in source code, when left unpatched, can potentially be exploited by a malicious party, resulting in severe negative consequences. These negative consequences can be significant if the vulnerable software is part of critical infrastructure. Previous studies, however, have shown that many software developers cannot recognize vulnerable code. One possible way to ameliorate the situation is by increasing software developers' awareness of secure programming techniques. In this chapter, the authors propose a serious game, the Java Cybersecurity Challenges, that presents secure programming challenges to the participants in a competitive scenario. They describe and analyze the tools required to implement these challenges and perform an empirical evaluation of the game with more than 40 software developers from the industry. The work contributes to the growing knowledge on the design of serious games and provides valuable information for industry practitioners who wish to deploy a similar game in their environment.
TopIntroduction
Over the last years, the number of cybersecurity incidents has been steadily increasing. According to the United States Department of Homeland Security (US-CERT, 2020), more than 95% of security incidents find their cause in exploits against defects in the design or the code of the software, i.e., in software vulnerabilities. The increasing number of cyber security incidents also aligns with the increasing software vulnerabilities. Figure 1 shows the number of known software vulnerabilities reported and collected by the community-driven vulnerability database VulDB (VULDB, 2018).
Figure 1. Number of Known Software Vulnerabilities
Since 2000, the number of known software vulnerabilities has exceeded 170.000, whereby more than 121.000 vulnerabilities have been reported since 2011. Examples include ShellShock (Fireeye, 2014), StageFright (Golem, 2014), EternalBlue (MITRE, 2017), and Drupalgeddon (DreadLocked, 2018).
Patel et al. (Patel, 2019; Schneier, 2019) conducted a large-scale study with more than 4000 software developers. They found that more than 50% of software developers cannot spot vulnerabilities in source code. The increasing number of software vulnerabilities and security incidents is a serious problem for the industry, especially for critical infrastructures.
To address these issues, industrial IT security standards such as IEC 62.443 mandate the usage of secure coding guidelines through a secure software development lifecycle process. A possible way to comply with securing coding guidelines, which are widely used in the industry, is by using static application security testing (SAST) tools. However, these tools' reliability has shown to fall short of what is required. This is because these tools can produce many findings, leading to developer stress and fatigue, while this large number of results can also include false positives and negatives. Ultimately, it is up to the software developers to understand secure coding guidelines and to write and fix vulnerabilities in the source code. However, according to Patel et al. (Patel, 2019), Acar et al. (Acar, 2017), and Gasiba et al. (Gasiba et al., 2021), software developers lack awareness of secure coding and secure coding guidelines.
One possible way to address this lack of awareness is by utilizing a serious game that aims to raise awareness of secure coding guidelines through programming exercises. Gasiba et al. (Gasiba et al., 2021) introduced a serious game with a platform where secure programming challenges can be implemented. While in their work, they validate the approach for the C and C++ programming languages (Gasiba et al., 2021; Gasiba et al., 2020), they do not address the Java programming language.