A Method for Recommending Computer-Security Training for Software Developers: Leveraging the Power of Static Analysis Techniques and Vulnerability Repositories

Security breaches in software systems are often caused by vulnerable code, which result in loss of confidential data in addition to reputation and financial damages. To achieve robust software security, developers must be given proper training on secure coding practices. Conventional training methods are limited as they do not take the prior code written by the developers into account. We propose a Computer Security Training Recommender to help identify focused and narrow training areas for software developers. The proposed system leverages the power of public vulnerability repositories, static analysis techniques, and mapping algorithms. The public vulnerability repositories, hosting community accepted solutions to several security problems, serve as the knowledgebase for the proposed system. We use static analysis techniques to uncover vulnerabilities present in developers´ code. Finally, the mapping algorithms use information about flagged vulnerabilities to retrieve the most relevant articles from the knowledgebase. Hence, the mitigation strategies given in the articles can be used as a resource to train the individual developers. This paper presents an architecture of the proposed recommender system and a proof-of-concept case study. Preliminary empirical evaluation indicates that the proposed system is promising.