Authentic Learning Modules for DevOps Security Education

DevOps 安全教育的真实学习模块

• 批准号: 2209637
• 负责人: Fan Wu
• 金额: $ 12万
• 依托单位: Tuskegee University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-06-15 至 2025-05-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2209637&HistoricalAwards=false
• 关键词: Authentic; Learning; Modules; DevOps; Security

Information technology (IT) organizations use development and operations (DevOps) to deliver software-based services rapidly to end-users. During software development, various documents are often created. These materials, referred to as software artifacts, may include design documents, source code, risk assessments, and other project plans or documentation. Software artifacts used in DevOps yield tremendous benefits for IT organizations. However, without the secure development of these artifacts, deployed software can contain security vulnerabilities which malicious users can exploit to cause serious consequences for organizations. Therefore, students who are poised to become next-generation professionals need to be educated on (i) the consequences of security weaknesses that are commonplace in DevOps artifacts and (ii) how security weaknesses can be mitigated through secure development. This project aims to create an engaging and motivating learning environment that encourages all computer science students to learn cybersecurity integration into artifacts used for DevOps. The project has the potential to transform computer science education in the cross-cutting areas of software engineering and cybersecurity and grow a cybersecurity workforce that is well-versed in secure software development practices and techniques. Principal investigators from Tennessee Tech University, Kennesaw State University, and Tuskegee University will collaborate on developing and deploying authentic learning-based modules for DevOps security education (ALAMOSE). The ALAMOSE project will leverage authentic learning, which provides students with practical knowledge to solve real-world problems. Pre-lab content dissemination, hands-on exercise, and post-lab activities will be included. The modules will be deployed in existing cybersecurity, software engineering, and IT system security courses across the three institutions, potentially impacting students from diverse backgrounds. Faculty workshops and outreach webinars will be employed to promote the adoption of the modules and to gather and present lessons learned and experiential feedback. In addition, the modules will be available to educators nationwide through code and container sharing platforms, such as GitHub and DockerHub. This project is supported by the Secure and Trustworthy Cyberspace (SaTC) program, which funds proposals that address cybersecurity and privacy, and in this case specifically cybersecurity education. The SaTC program aligns with the Federal Cybersecurity Research and Development Strategic Plan and the National Privacy Research Strategy to protect and preserve the growing social and economic benefits of cyber systems while ensuring security and privacy.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

信息技术（IT）组织使用开发和运营（DevOps）向最终用户快速交付基于软件的服务。在软件开发过程中，经常会创建各种文档。这些材料被称为软件工件，可能包括设计文档、源代码、风险评估，以及其他项目计划或文档。在DevOps中使用的软件构件为IT组织带来了巨大的好处。然而，如果没有这些构件的安全开发，部署的软件可能包含安全漏洞，恶意用户可以利用这些漏洞给组织造成严重后果。因此，准备成为下一代专业人士的学生需要接受以下方面的教育：(1)DevOps工件中常见的安全弱点的后果；(2)如何通过安全开发来减轻安全弱点。该项目旨在创造一个吸引人的、激励人的学习环境，鼓励所有计算机科学专业的学生学习将网络安全集成到用于DevOps的工件中。该项目有可能改变软件工程和网络安全交叉领域的计算机科学教育，并培养一支精通安全软件开发实践和技术的网络安全劳动力。来自田纳西理工大学、肯尼索州立大学和塔斯基吉大学的主要研究人员将合作为DevOps安全教育（ALAMOSE）开发和部署真正的基于学习的模块。ALAMOSE项目将利用真实的学习，为学生提供解决现实问题的实用知识。包括实验前的内容传播、动手练习和实验后的活动。这些模块将部署在三所大学现有的网络安全、软件工程和IT系统安全课程中，可能会影响到来自不同背景的学生。将采用教师研讨会和外展网络研讨会来促进模块的采用，并收集和介绍经验教训和经验反馈。此外，这些模块将通过代码和容器共享平台（如GitHub和DockerHub）提供给全国的教育工作者。该项目由安全与可信网络空间（SaTC）计划支持，该计划资助解决网络安全和隐私问题的提案，在这种情况下，特别是网络安全教育。SaTC项目与《联邦网络安全研究与发展战略计划》和《国家隐私研究战略》保持一致，旨在保护和维护网络系统日益增长的社会和经济效益，同时确保安全和隐私。该奖项反映了美国国家科学基金会的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Investigating Novel Approaches to Defend Software Supply Chain Attacks

研究防御软件供应链攻击的新方法

• 发表时间: 2022
• 期刊: 2022 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW
• 作者: Faruk, M.;Tasnim, M.;Shahriar, H.;Valero, M.;Rahman, A.;Wu, F.
• 通讯作者: Wu, F.

Case Study-Based Approach of Quantum Machine Learning in Cybersecurity: Quantum Support Vector Machine for Malware Classification and Protection

基于案例研究的网络安全量子机器学习方法：用于恶意软件分类和保护的量子支持向量机

• DOI: 10.1109/compsac57700.2023.00161
• 发表时间: 2023
• 期刊: and Applications Conference (COMPSAC
• 作者: Akter, Mst Shapna;Shahriar, Hossain;Iqbal Ahamed, Sheikh;Datta Gupta, Kishor;Rahman, Muhammad;Mohamed, Atef;Rahman, Mohammad;Rahman, Akond;Wu, Fan
• 通讯作者: Wu, Fan

Practitioner Perceptions of Ansible Test Smells

从业者对 Ansible 测试气味的看法

• DOI: 10.1109/icsa-c57050.2023.00074
• 发表时间: 2023
• 期刊: 023 IEEE 20th International Conference on Software Architecture Companion (ICSA-C
• 作者: Zhang, Yue;Wu, Fan;Rahman, Akond
• 通讯作者: Rahman, Akond

Authentic Learning Approach for Artificial Intelligence Systems Security and Privacy

人工智能系统安全和隐私的真实学习方法

• DOI: 10.1109/compsac57700.2023.00151
• 发表时间: 2023
• 期刊: and Applications Conference (COMPSAC
• 作者: Akter, Mst Shapna;Shahriar, Hossain;Lo, Dan;Sakib, Nazmus;Qian, Kai;Whitman, Michael;Wu, Fan
• 通讯作者: Wu, Fan

Security Risk and Attacks in AI: A Survey of Security and Privacy

• DOI: 10.1109/compsac57700.2023.00284
• 发表时间: 2023-06
• 期刊: 2023 IEEE 47th Annual Computers, Software, and Applications Conference (COMPSAC)
• 作者: Md Mostafizur Rahman;Aiasha Siddika Arshi;Md. Golam Moula Mehedi Hasan;Sumayia Farzana Mishu;Hossain Shahriar-Hossain-Sh