Cybersecurity education research could lead to creation of secure programming clinic

Hundreds of years ago, linguists agreed upon the fundamentals of English grammar and composition. For more than 40 years, writers have sought help from English language experts through the Purdue Writing Lab. Now, a Purdue Polytechnic professor wants to create a similar service for languages of the 21st century to help computer programmers write code that is secure from cyberattacks.

ida NgambekiIda Ngambeki, assistant professor of computer and information technology, says that secure programming needs to be a vital part of every programmer’s education. She is researching techniques to incorporate secure programming into computer programming curricula without adding to the course load.

“When we’re teaching students how to code software, it’s important that they know how to make a program secure, so that it can’t be attacked by other people,” said Ngambeki. “There are principles and concepts in programming security that they need to understand.”

Through a project funded by the National Science Foundation (NSF), the Secure Programming Clinic has been deployed at four institutions in the U.S. and one in South Africa. Ngambeki is collaborating with Phillip Nico, professor of computer science and software engineering at California Polytechnic State University; Matthew Bishop, professor of computer science at the University of California, Davis; and Jun Dai, professor of computer science at California State University, Sacramento.

Because secure programming is a relatively new field, Ngambeki’s team started their research with a Delphi study, a quantitative technique that solicits opinions from groups and generates consensus through a multi-round iterative process. They worked with experts in secure programming from industry, government and academia to develop a concept map, identifying the major topic areas in secure programming and the connections amongst them.

Through a second project funded by the National Security Agency, this concept map was then used as the basis to develop a concept inventory for secure programming.

“The concept inventory doesn’t just target what you know or have memorized,” said Ngambeki. “It also targets common misunderstandings. Once those are identified, you can focus on them in an educational setting to help students improve their fundamental understanding of the topic.”

This concept inventory was developed by interviewing instructors who teach secure programming and undergraduate and graduate students in computing courses.

“We asked them about what students find difficult, what misunderstandings they have in the classroom and what causes them to fail over and over,” she said. “Then we interviewed students, gave them basic questions based on our concept map, and coded their answers.”

Using that data, the research team developed a taxonomy of misconceptions in secure programming and a 250-question, multiple-choice question pool. They have tested the pool of questions to determine which ones best identified students’ misconceptions.

Ngambeki’s team has recently been awarded a second NSF grant to develop an online tutorial and assessment platform. Independently or in the context of a class, students would take test questions as practice and get feedback and tutoring based on concept map-informed diagnostics. Instructors would receive feedback about the topics with which their students are struggling.

“We hope to continuously collect questions and work with instructors to see how they’re doing,” said Ngambeki. “It would essentially turn the test into a living instrument, updated for changes in programming languages that are continuously evolving.”

Ngambeki said the team is channeling its research findings into the creation of a secure programming clinic, a service analogous to the writing lab provided by Purdue’s Department of English. Test versions of the clinic are in operation at Purdue Northwest, Cal Poly San Luis Obispo, U.C. Davis, and Sacramento State, she said. A centralized website ( connects the clinics.

“You could be coding for a class project or writing a website and go to our clinic to get feedback on the security and robustness of your code,” she said. “But we need a good, consistent, rigorous, widely accepted method to measure secure programming knowledge.”

Ngambeki earned a bachelor’s degree in engineering at Smith College and a doctorate in engineering education from Purdue. Her background includes studies in psychology, social science, engineering, computing and education. Ngambeki also studies cybersecurity policy and workforce development.

Additional information: