J-WAVE: A Java Web Application for Vulnerability Education

Kyer, Michael Alexander

28 May 2024

Static application security testing (SAST) tools are commonly used by professionals to identify security vulnerabilities before deployment. While there are many such tools, they offer competing features and can be difficult and time-consuming to install and configure. To simplify the usage of these services for professors and students alike, this paper describes the Java web application for vulnerability education, or J-WAVE. J-WAVE combines 5 SAST tools into one web application: PMD, FindSecurityBugs, Semgrep, Yasca, and SonarQube. Making these tools available in an educational context is a proactive application of tools typically used in a reactive manner. J-WAVE offers simplicity to users by handling each tool's setup internally, while offering access to the large, collective rule set contributed by the combined tool suite. These attributes allow students to easily scan their own projects to detect a variety of security issues prior to submission. Likewise, educators can scan their students' code to detect common vulnerabilities present. This process is made easier as J-WAVE can accept batch submissions containing thousands of files. The SAST tools in JWAVE are complementary, and using them together helps detect a wider range of problems. However, different tools should be prioritized depending on what files are being scanned. PMD and SonarQube reports should be prioritized within general applications. Whereas, Semgrep and Yasca reports should be prioritized for scans of web applications. This paper reports on experiences from applying J-WAVE's tool suite to student submissions in two courses: an advanced data structures course, and a web application development course. / Master of Science / Static application security testing (SAST) tools are commonly used by professionals to identify security vulnerabilities before deployment. While there are many such tools, they offer competing features and can be difficult and time-consuming to install and configure. To simplify the usage of these services for professors and students alike, this paper describes the Java web application for vulnerability education, or J-WAVE. J-WAVE combines 5 SAST tools into one web application: PMD, FindSecurityBugs, Semgrep, Yasca, and SonarQube. Making these tools available in an educational context is a proactive application of tools typically used in a reactive manner. J-WAVE offers simplicity to users by handling each tool's setup internally, while offering access to the large, collective rule set contributed by the combined tool suite. These attributes allow students to easily scan their own projects to detect a variety of security issues prior to submission. Likewise, educators can scan their students' code to detect common vulnerabilities present. This process is made easier as J-WAVE can accept batch submissions containing thousands of files. The SAST tools in JWAVE are complementary, and using them together helps detect a wider range of problems. However, different tools should be prioritized depending on what files are being scanned. PMD and SonarQube reports should be prioritized within general applications. Whereas, Semgrep and Yasca reports should be prioritized for scans of web applications. This paper reports on experiences from applying J-WAVE's tool suite to student submissions in two courses: an advanced data structures course, and a web application development course.

Vulnerability education

SAST

vulnerability analysis

Is Education a Key to Reducing Vulnerability to Natural Disasters and hence Unavoidable Climate Change?

Muttarak, Raya, Lutz, Wolfgang

January 2014

The collection of articles in this Special Feature is part of a larger project on "Forecasting Societies" Adaptive Capacity to Climate Change (an Advanced Grant of the European Research Council to Wolfgang Lutz). In investigating how global change will affect population vulnerability to climate variability and extremes, the project aims to help develop strategies that enable societies to better cope with the consequences of climate change. In doing so, the basic hypothesis being tested is that societies can develop the most effective long-term defense against the dangers of climate change by strengthening human capacity, primarily through education. Education can directly influence risk perception, skills and knowledge and indirectly reduce poverty, improve health and promote access to information and resources. Hence, when facing natural hazards or climate risks, educated individuals, households and societies are assumed to be more empowered and more adaptive in their response to, preparation for, and recovery from disasters. Indeed the findings from eleven original empirical studies set in diverse geographic, socioeconomic, cultural and hazard contexts provide consistent and robust evidence on the positive impact of formal education on vulnerability reduction. Highly educated individuals and societies are reported to have better preparedness and response to the disasters, suffered lower negative impacts, and are able to recover faster. This suggests that public investment in empowering people and enhancing human capacity through education can have a positive externality in reducing vulnerability and strengthening adaptive capacity amidst the challenges of a changing climate.