Authentic PBL Experience in Software Engineering

Project-based learning (PBL) is a teaching approach that has recently gained popularity. It allows students to develop real-world problem-solving skills by working on a project in a classroom setting over an extended period. In software engineering, project-based learning has become a common approach to teaching students how to develop high-quality software. However, there has been debate over the authenticity of these projects, with some arguing that it does not accurately reflect real-world software development challenges and complexities. In this post, we will analyze the authenticity of a course-based software engineering project and how it can be improved to better prepare students for the challenges of the software development industry.

Software engineering Lifecycle and ISTE

The International Society for Technology in Education (ISTE) contains a set of standards for students to use technology effectively for learning. The 4th ISTE standard for students is:

    This standard highlights the importance of students using digital tools to manage projects, solve problems, and make informed decisions, as well as the ability to think critically and analyze risks in design, which are essential skills in modern software development.

    The software development lifecycle embodies ISTE standard 4 for students, emphasizing the importance of producing high-quality software. The lifecycle comprises four primary stages: specification, design, implementation, and maintenance. The specification stage involves gathering and documenting the software requirements, while the design stage focuses on planning and structuring the software. The implementation stage is dedicated to developing and testing the software, and the maintenance stage involves monitoring and updating the software to ensure that it remains functional and usable over time. Each stage is an iterative process that produces partial outputs of the final deliverables.

    Teaching the software engineering lifecycle in a classroom can present several challenges. One of the main issues is that software development is a highly dynamic process that is difficult to replicate in a classroom setting. Classroom projects may lack the same complexity or scope as real-world software projects, which can hinder students’ understanding of the software development lifecycle. Additionally, classroom environments may not provide students with the same level of exposure to real-world tools and technologies commonly used in software development (Kay et al., 2000). To address these challenges, the following project design outline is intended to enhance the effectiveness of a PBL software engineering project by integrating real-world elements.

    Project Design

    This project design methodology draws inspiration from the backwards design approach (Wiggins, 2005), and it has been compiled from three PBL projects by Shekar et al. (2014), Abad et al. (2019), and Spichkova et al. (2015) that were effectively carried out.

    Through the project, students will understand the fundamental software lifecycle process and the reality of rapid changes in real-world requirements. They will also learn about the critical role of effective communication in ensuring customer satisfaction and the importance of maintaining quality standards throughout a software development project.

    The software project aims to improve students’ hard and soft skills. Hard skills, which are measurable and specific, consist of software development skills in a particular language or framework, project planning, and written communication. In contrast, soft skills are personal attributes that enable students to collaborate effectively, such as teamwork, decision-making, communication, and organization.

    To demonstrate a student’s understanding, the following evidence is required: appropriately documented changes made to the software at appropriate intervals, effective communication with the customer, including asking relevant questions, and the production of working software at the end of the development cycle that adheres to proper design and testing procedures.

    Shekar et al. (2019) have proposed a set of assessments that should include the following elements:

    • A project proposal that aims to replicate the initial phase of the software development lifecycle, including customer communication.
    • A detailed design that specifies various alternatives and justifies the selection of the chosen design.
    • A demonstration of the final product that establishes the student’s ability to effectively communicate their solution and exhibit a functional end product.
    • The final project report that confirms that the software product was constructed according to the proposed design and testing procedures during the entire software development process.
    • A self-reflection component that involves maintaining a journal that records successes, failures, and evaluations of team members.

    Best Practices

    Software Engineering educators encounter a significant challenge in balancing the provision of a realistic experience and maintaining classroom control when designing a project. The guidelines and best practices presented below are once again derived from successful project designs outlined in Shekar et al. (2014), Abad et al. (2019), and Spichkova et al. (2015).

    1. Provide real-world connections and real industry experience. Providing inadequate project specifications and forcing requirements to change can effectively challenge students and prepare them for real-world scenarios. A vagueness in the problem description from the client will force students to ask questions and shape their requirements-gathering workflow. Furthermore, a requirements change later in the process can force students to adapt and develop explicit change management skills (Abad et al. 2019).
    2. Include flexibility and team-oriented decision-making. In the approach by Abad et al. (2019), students can exercise flexibility in their development process by selecting from various software process models, including Opportunistic, Waterfall, Spiral, Concurrent, or Scrum, and justifying their choice of methodology for their system development. They can also modify their chosen process model as the project advances. Similarly, in Spichkova et al.’s (2015) approach, the design architecture incorporates a team-oriented decision-making component to encourage collaborative decision-making among team members.
    3. Focus on team dynamics. Effective teamwork is a critical factor in the success of a project. It is essential to clarify that everyone has an equal role and that all team members share ownership of the code base (Sepahkar et al., 2014). According to Bates (2022), another crucial aspect is establishing an interactive and asynchronous communication medium which all team members can access and utilize. Examples of such mediums include Facebook messenger, MS teams, and Discord. This fosters a collaborative environment where all team members are accountable to each other and can respond promptly to ensure the success of the project.
    4. Include personal reflections. Shekar et al. (2014) suggest incorporating personal reflection journals at each stage of the development process. This gives students a high-level view of the entire process and allows them to reflect on their progress. In the reflection journal, students should consider what went well during each stage, any unexpected difficulties they encountered, how to improve pacing, engagement, and assessments, and how to align each stage more closely with the primary objectives of the iteration.

    Conclusion

    Providing an authentic project-based learning experience in software engineering can be a challenging but rewarding experience for software engineering educators. By designing projects that simulate real-world scenarios, students can develop both technical and soft skills that are crucial for success in the software development industry. Moreover, incorporating assessment strategies that align with the software development lifecycle and emphasizing effective communication, collaboration, and self-reflection can enhance the learning experience for students. By following the guidelines and best practices proposed, educators can strike a balance between providing students with a realistic experience, maintaining classroom control, and preparing them for the challenges and opportunities in the software engineering industry.

    Reference:

    Kay, J., Barg, M., Fekete, A., Greening, T., Hollands, O., Kingston, J. H., & Crawford, K. (2000). Problem-based learning for foundation computer science courses. Computer Science Education10(2), 109-128.

    Sepahkar, M., Hendessi, F., & Nabiollahi, A. (2015). Defining Project Based Learning steps and evaluation method for software engineering students. International Journal of Computer Science and Information Security13(10), 48.

    Spichkova, M. (2019, November). Industry-oriented project-based learning of software engineering. In 2019 24th International conference on engineering of complex computer systems (ICECCS) (pp. 51-60). IEEE.

    Shekar, A. (2014, June). Project-based learning in engineering design education: sharing best practices. In 2014 ASEE Annual Conference & Exposition (pp. 24-1016).

    Wiggins, G. P., & McTighe, J. (2005). Understanding by design (2nd ed.). Association For Supervision And Curriculum Development.

    Bates, A. W. (Tony). (2022). 7.5 Broadcast or interactive media? Pressbooks.bccampus.ca. https://pressbooks.bccampus.ca/teachinginadigitalagev3m/chapter/8-3-broadcast-vs-communicative-technologies/

    Abad, Z. S. H., Bano, M., & Zowghi, D. (2019, May). How much authenticity can be achieved in software engineering project based courses?. In 2019 IEEE/ACM 41st International Conference on Software Engineering: Software Engineering Education and Training (ICSE-SEET) (pp. 208-219). IEEE.

    Crap Detection for Node Package Manager

    Open-source software allows the source code to be freely available to the public, allowing anyone to inspect, modify, use, or distribute the code. It is typically developed and maintained by a community of volunteer developers who collaborate and contribute to the project. According to the Linux Foundation, open-source code is used in 70-90% of every software found today (A Summary of Census II: Open Source Software Application Libraries the World Depends on – Linux Foundation, n.d.). Most of this code is a result of open-source development frameworks.

    Open-source development frameworks are libraries of code and tools that provide a foundation for building software applications efficiently by supplying reusable components. Using open-source development frameworks can help streamline the software development process and reduce the time and effort required to build applications from scratch. Frameworks can be used for creating a wide range of software, including web, mobile, and desktop applications.

    Development frameworks typically rely on package managers.  A package manager is a tool that helps manage the libraries, dependencies, and other components needed for a project. Using a package manager, developers can automate installing, updating, and tracking libraries needed for their projects. Many package managers employ a team of reviewers who review every request to push new updates to the repository. However, some frameworks may include public repositories in which anyone can upload their packages for the community. The Node Package Manager (NPM), which runs on the JavaScript open-source framework NodeJS, is one of the most popular public repositories and thus makes it a target for harmful activity. 

    Types of Malicious Code

    Several types of malicious code can exist on NPM, including:

    1. The most obvious is that some packages themselves may contain malicious code, such as backdoors, trojans, or malware, that can harm the software or compromise the security of the system it is installed on. In other cases, malicious packages may simply lie about what the package does, instead running damaging commands such as modifying system files, altering settings, or collecting and transmitting sensitive data without the user’s consent. For example, a data-stealing package was uncovered in late 2022 after going undetected for over a year (NPM Malware Attack Goes Unnoticed for a Year | TechTarget, n.d.). There has also been an increase in crypto mining malware on NPM in 2022. These malware packages contain code that mines cryptocurrencies on the computer of the person who installs the package, using their system resources without the user’s knowledge.
    2. Supply Chain Attacks. Packages on NPM may have dependencies on other packages that contain vulnerabilities, which can put the developed software at risk if the vulnerabilities are not detected somewhere in the chain. (Ellison et al., 2010)
    3. Malicious code could be hidden in packages that have suspiciously similar names to popular and frequently used packages. These are known as typo-squatting and combo-squatting attacks (Vu et al., 2020). For example, in 2017, a popular package called ‘cross-env’ was typo-squatted and malicious code hosted on a package called ‘crossenv’ preyed on developers who accidentally misspelled the package name. (Npm Blog: ‘Crossenv’ Malware on the Npm Registry, n.d.)
    4. Stealing credentials of legitimate NPM accounts and pushing malicious code onto its repository (Vu et al., 2020)

    Information Literacy on NPM

    The term crap detection is used describe a process of deciding whether something found online is true. To help analyze packages for possible malicious code, several studies have been done on lightweight NPM vulnerability auto-detection tools. They are very effective. In most cases, with over 90% success rate (Sejfia et al., 2022) and able to identify exact types of vulnerability (according to OWASP) with a high degree of accuracy (Brito et al., 2023). They are, however, not perfect, and we, as developers, must do our part to avoid falling into the pit of malicious intent. Here is a summary of recommendations from the studies. I am basing this on the C.R.A.A.P. and S.I.F.T. tests for information literacy, I will call this the F.I.S.T. test for NPM literacy:

    • Package Frequency of download and package updates: The NPM website contains the weekly downloads of every package on the repository. The Frequency of maintenance of a package also gives information about the safety of use, check the last publish date to see how active this project is. Projects that are not actively maintained or have low weekly downloads are a cause for concern.
    • Inspect the code: Before installing a package, review it to ensure it doesn’t contain any malicious code. Go to the package’s Github account and quickly scan the code for malicious behaviour. Look for things like email dependencies, non-consensual sending of HTTP requests, etc. This may be difficult for beginners of a framework.
    • Use Secure sources: Only install packages from trusted sources like NPM or verified package managers like yarn. From the NPM website, verify information about the package’s publisher, such as the publisher’s website and social media accounts. If they have very little information online, it may suggest they are trying to hide something.
    • Use auditing Tools: Use security tools like npm audit, which scans installed packages for known vulnerabilities, to help you identify and mitigate potential security risks. npm audit will look at existing packages in your system, but since you can only run this command after the package has been installed, it may already be too late. Alternatively, there are also many NPM rating tools. Spectralops.io lists the Top 5 NPM audit tools in 2022. Among them are Synk and SpectralOps. Both tools provide reviews and ratings of every NPM package. Search the packages you intend to use to check its rating and to ensure they are not on the known vulnerabilities list. A package with low ratings or negative reviews may indicate potential security issues.

    NPM Improvements

    Other solutions are suggested to improve the existing architecture and workflow of the package managers themselves. This includes:

    • Updating NPM policy to allow automatic updating to the latest version of a package to mitigate technical lag (the time it takes a developer to recognize a malicious package and update it)
    • securing critical accounts on NPM,
    • providing trust scores for developers, and
    • eviction of typo- and combo-squatters.

    (Kaplan et el. 2021)

    Conclusion

    The Node Package Manager (NPM) is a powerful tool that helps software developers manage and share the packages they use in their projects. It provides an array of community packages which can be added to the software while enabling developers to write and share code with the community. However, with its growing popularity and widespread use, knowing how to perform crap detection on NPM effectively is a valuable asset for any modern developer looking to improve their information literacy skills.

    References

    A Summary of Census II: Open Source Software Application Libraries the World Depends On – Linux Foundation. (n.d.). Www.linuxfoundation.org. Retrieved February 5, 2023, from https://www.linuxfoundation.org/blog/blog/a-summary-of-census-ii-open-source-software-application-libraries-the-world-depends-on#:~:text=Introduction

    NPM Blog: ‘crossenv’ malware on the npm registry. (n.d.). Blog.npmjs.org. Retrieved February 4, 2023, from https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry.html

    Vu, D.L., Pashchenko, I., Massacci, F., Plate, H., Sabetta, A. (2020). Typosquatting and combosquatting attacks on the python ecosystem. 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pp. 509–514.  

    Ellison, R. J., Goodenough, J. B., Weinstock, C. B., & Woody, C. (2010). Evaluating and mitigating software supply chain security risks. Carnegie-Mellon Univ Pittsburgh PA Software Engineering Inst.

    Kaplan, B., & Qian, J. (2021). A survey on common threats in npm and pypi registries. Deployable Machine Learning for Security Defense: Second International Workshop, MLHat 2021, Virtual Event, August 15, 2021, Proceedings 2 (pp. 132-156). Springer International Publishing.

    NPM malware attack goes unnoticed for a year | TechTarget. (n.d.). Security. Retrieved February 4, 2023, from https://www.techtarget.com/searchsecurity/news/252525968/NPM-malware-attack-goes-unnoticed-for-a-year#:~:text=The%20researchers%20said%20that%20by

    Brito, T., Ferreira, M., Monteiro, M., Lopes, P., Barros, M., Santos, J. F., & Santos, N. (2023). Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages. ArXiv. https://arxiv.org/abs/2301.05097

    Sejfia, A., & Schäfer, M. (2022). Practical Automated Detection of Malicious npm Packages. ArXiv. https://doi.org/10.1145/3510003.3510104