Design and Assessment of DevSecOps exercise for Secure Software Development Education
Milton, Md Musfiqur Rahman (2025)
2025
Tietotekniikan DI-ohjelma - Master's Programme in Information Technology
Informaatioteknologian ja viestinnän tiedekunta - Faculty of Information Technology and Communication Sciences
This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Hyväksymispäivämäärä
2025-06-02
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:tuni-202506016489
https://urn.fi/URN:NBN:fi:tuni-202506016489
Tiivistelmä
Modern software systems increasingly depend on secure development practices. However, many academic curricula do not adequately address the industry-wide shift toward DevSecOps, which integrates security throughout the software development lifecycle. This thesis aimed to bridge that gap by designing and empirically evaluating a hands-on exercise that introduces students to DevSecOps within a realistic development environment.
The exercise involved students constructing a development pipeline using tools such as Jenkins, SonarQube, Snyk, Trivy, and OWASP ZAP. The OWASP Juice Shop, an intentionally vulnerable web application, served as the testbed for this exercise. Within this framework, students engaged in various levels of security testing, including static analysis, dynamic analysis, software composition analysis, and container scanning. Additionally, they explored key principles of DevSecOps, including early integration, automation, and shared responsibility.
Evaluation was conducted through pre- and post-exercise surveys completed by 75 students enrolled in a university-level secure programming course. The quantitative analysis revealed statistically significant improvements in both knowledge and self-efficacy, while qualitative analysis indicated increased confidence and practical insight. Although students began with high attitudes and interest in secure development, the exercise successfully maintained that consistency and produced outcomes that closely aligned with their initial expectations. Notably, these results were consistent among participants, irrespective of age, gender, educational background, or prior experience.
This thesis presents a replicable and scalable model for incorporating DevSecOps into software engineering education. By merging real-world technical skills with an effective teaching approach, it enhances our understanding of how to teach secure development practices. Additionally, it provides valuable insights for educators, curriculum planners, and universities seeking to better align their programs with industry demands.
The exercise involved students constructing a development pipeline using tools such as Jenkins, SonarQube, Snyk, Trivy, and OWASP ZAP. The OWASP Juice Shop, an intentionally vulnerable web application, served as the testbed for this exercise. Within this framework, students engaged in various levels of security testing, including static analysis, dynamic analysis, software composition analysis, and container scanning. Additionally, they explored key principles of DevSecOps, including early integration, automation, and shared responsibility.
Evaluation was conducted through pre- and post-exercise surveys completed by 75 students enrolled in a university-level secure programming course. The quantitative analysis revealed statistically significant improvements in both knowledge and self-efficacy, while qualitative analysis indicated increased confidence and practical insight. Although students began with high attitudes and interest in secure development, the exercise successfully maintained that consistency and produced outcomes that closely aligned with their initial expectations. Notably, these results were consistent among participants, irrespective of age, gender, educational background, or prior experience.
This thesis presents a replicable and scalable model for incorporating DevSecOps into software engineering education. By merging real-world technical skills with an effective teaching approach, it enhances our understanding of how to teach secure development practices. Additionally, it provides valuable insights for educators, curriculum planners, and universities seeking to better align their programs with industry demands.