| Summary: | <p>Vulnerable code may cause security breaches in software systems resulting in financial
and reputation losses for the organizations in addition to loss of their customers confidential
data. Delivering proper software security training to software developers is key to
prevent such breaches. Conventional training methods do not take the code written by the
developers over time into account, which makes these training sessions less effective. We
propose a method for recommending computersecurity training to help identify focused
and narrow areas in which developers need training. The proposed method leverages the
power of static analysis techniques, by using the flagged vulnerabilities in the source code
as basis, to suggest the most appropriate training topics to different software developers.
Moreover, it utilizes public vulnerability repositories as its knowledgebase to suggest community
accepted solutions to different security problems. Such mitigation strategies are
platform independent, giving further strength to the utility of the system.</p>
<p>
This research discussed the proposed architecture of the recommender system, case
studies to validate the system architecture, tailored algorithms to improve the performance
of the system, and human subject evaluation conducted to determine the usefulness of the
system.</p>
<p>
Our evaluation suggests that the proposed system successfully retrieves relevant training
articles from the public vulnerability repository. The human subjects found these articles
to be suitable for training. The human subjects also found the proposed recommender
system as effective as a commercial tool. </p>
|
|---|
