Integrating Cyber Security Resources for Software Engineers

Introduction

Cybersecurity is crucial for organizations and individuals due to frequent and sophisticated cyberattacks. Software engineers are key players in this regard, responsible for creating and maintaining secure applications. They need a strong foundation in security related topics to conceptualize and develop secure software solutions while respected prevailing data and privacy regulation laws. This project aims to address this need by providing a unified, accessible, and searchable cybersecurity knowledge base for software engineers. More specifically, it should streamline information acquisition and enhance the accessibility and usability of existing online cybersecurity resources.

The project contains 3 work packages (WP):

1. Resource Identification: Identify available online cybersecurity resources (e.g. knowledge databases, glossaries, wikis, etc.) that provide definitions, advises, and further topic-related references. This work package addresses the tasks of investigating what cybersecurity resources are available and what characterization scheme could help to categorize them.
2. Resource Curation: Curate the identified resources in a collective index and, where appropriate, enrich them with metadata such as quality rating and information actuality. This work package addresses the question of how to consolidate different resources in a structural and extensible manner.
3. Web Application: Implement a web application that allows to efficiently search, filter, and access these curated resources. Desired features include full-text search capability, advanced filtering options, and possibility to submit changes or extensions. This work package comprises the specification and implementation of a web application used to further increase the accessibility of gathered knowledge resources, e.g., to integrate the findings from WP1 & WP2.

Approach

The above description provides a high-level overview of the project. While the three aspects suggest a sequential approach, this is not mandatory, nor do all aspects need to be addressed equally. Students are encouraged to propose alternative, potentially more iterative, implementation strategies and focus areas (e.g., web application development). For example, one could start with thinking about a desire system design for such a resource consolidation web application and expand from here. Extensions could involve adding/linking content, invest into community attraction, bind various APIs, or develop a web scraper.

Students passionate about cybersecurity but less interested in programming may focus on investigating available resources and proposing a categorization/annotation framework. This could involve, for example, emphasizing differences between existing cybersecurity resources. Perhaps one could contribute to this domain by not only curating these resources but also provide a multidimensional categorization. Such categories might cover level of granularity (high-level system architectures vs. concrete / low-level advice), application fields (database, web API, iOS, etc.), affected assets (human identities, business data, bitcoin, etc.), and possibly many more.

Target Group

In this multi-package project, the required skill set varies per WP. To help students decide if this project aligns with their interests, we have outlined essential and desirable interests in the table. We emphasize interests because we believe that with genuine interest, the necessary skills can be easily learned resp. further advanced.

	Important	Nice to Have
WP1	cybersecurity in general, open knowledge platforms, open-source intelligence	web technologies, experience in structured data collection
WP2	web technologies, metadata, data analysis in general, open knowledge platforms, web technologies	cybersecurity in general, data cleaning pipelines, SQL
WP3	web technologies, web frameworks, docker, system design, programming in general, SQL	cybersecurity in general, UI/UX design, SEO

Interested students are invited to work on this project in the context of their Practicum Software Engineering (PSE) and/or Seminars. Generally, it is also possible to contribute to this project in the context of a Bachelor or Master Thesis, though this requires further individual discussion.

Remarks

• Roman Bögli is the contact person for this project and happy to answer questions or discuss contribution ideas.
• This project is part of a larger multi-university initiative aimed at building a cross-cultural cybersecurity community between Swiss and African researchers, lecturers, and students. While not currently planned, there may be opportunities for students involved in this project to join future trips to our African partner institutions and present their work.

Further Reading

• Examples of cybersecurity resources:
  • NIST Cybersecurity Framework (CSF)
  • OWASP Top 10
  • MITRE ATT&CK
  • SANS Glossary of Cyber Security Terms
  • ISACA Glossary
  • National Vulnerability Database (NVD)
  • Exploit Database
  • Common Vulnerabilities and Exposures (CVE) Catalogue
  • Malpedia (database of malware families)
  • Mindmaps for cyber security technologies, methodologies, etc.
• Publications
  • Catal C, Ozcan A, Donmez E, Kasif A (2023) Analysis of cyber security knowledge gaps based on cyber security body of knowledge. Educ Inf Technol 28:1809–1831.
  • Liu K, Wang F, Ding Z, et al (2022) Recent Progress of Using Knowledge Graph for Cybersecurity. Electronics 11:2287.
  • Li K, Zhou H, Tu Z, Feng B (2020) CSKB: A Cyber Security Knowledge Base Based on Knowledge Graph. In: Yu S, Mueller P, Qian J (eds) Security and Privacy in Digital Economy. Springer, Singapore, pp 100–113
  • Rantos K, Spyros A, Papanikolaou A, et al (2020) Interoperability Challenges in the Cybersecurity Information Sharing Ecosystem. Computers 9:18.
  • Pala A, Zhuang J (2019) Information Sharing in Cybersecurity: A Review. Decision Analysis 16:172–196.
  • Dandurand L, Serrano OS (2013) Towards improved cyber security information sharing. In: 2013 5th International Conference on Cyber Conflict (CYCON 2013). pp 1–16