text
One of the biggest weaknesses in cybersecurity lies within the “human infrastructure” (Hadnagy, 2011, 3). While this usually leads to security awareness trainings of employees and other organisational issues, the awareness for secure code among developers is too often neglected. A major lever to improve information security is to improve the quality of code in terms of secure coding. Based on this situation, my thesis investigates the feasibility of using Free/Libre and Open Source Software (F/LOSS) tools, to build a toolchain and feedback generation platform, that could be used in introductory programming courses to add incentives for secure coding aware- ness and adoption. An evaluation of 7 out of 19 found F/LOSS static analysis tools for PHP code analysis, shows that only 2 are in part fit for secure coding specific analysis. However, several of those tools provide opportunities for extension and adaptation. The use of 2 selected tools in the SCRAP prototype provides a starting point for further potential research. The SCRAP prototype, that was built in the course of this thesis, consists of an OpenAPI 3 conforming API, a corresponding prototype implementation of a RESTful web service and a prototype web UI, which are documented on the project website https://scrap.tantemalkah.at, and are accessible under an AGPLv3 license. It is easily extendible with additional scanners and can be used for further research into software security education. While the extensive literature review reveals that the field of software security education still needs a lot more attention, SCRAP adds a new approach. Yet its adoption necessitates a sustainable long-term approach and socio-technical adaptations in organisations who want to facilitate it, as well as more open and cooperative research in software security education is needed to improve secure coding capabilities throughout the educational sector and in term the IT industry in general.
