Computer Science · 12th Grade

Active learning ideas

Software Security and Secure Coding Practices

Active learning works for software security because students need to experience how small coding choices lead to real vulnerabilities. When students analyze real code snippets, they see that security flaws are not abstract concepts but predictable mistakes that can be identified and fixed early in development.

Common Core State StandardsCSTA: 3B-NI-04CSTA: 3B-AP-21
40–50 minPairs → Whole Class3 activities

Activity 01

Collaborative Problem-Solving40 min · Pairs

Code Review Challenge: Spot the Vulnerability

Give each pair a printed or screen-shared code snippet containing one or two deliberate vulnerabilities (SQL injection, missing input validation, hard-coded credentials). Pairs annotate the code identifying the vulnerability, explaining why it is exploitable, and proposing a fix. Each pair then presents their analysis to an adjacent pair for critique before the class compares findings.

Explain the importance of secure coding practices throughout the software development lifecycle.

Facilitation TipDuring the Code Review Challenge, ask students to annotate their reasoning directly on the code snippets to make their thought process visible.

What to look forPresent students with short code snippets, some containing common vulnerabilities (e.g., unsanitized user input in a database query). Ask them to identify the vulnerability, explain its potential impact, and suggest a specific secure coding practice to prevent it.

ApplyAnalyzeEvaluateCreateRelationship SkillsDecision-MakingSelf-Management
Generate Complete Lesson

Activity 02

Gallery Walk50 min · Pairs

Gallery Walk: OWASP Top 10

Create eight to ten stations around the room, each dedicated to one OWASP Top 10 category. Each station includes a one-paragraph description, a simplified code example showing the vulnerable pattern, and a question prompt. Student pairs rotate through stations and record: the attack name, how it works, and the mitigation. A class debrief synthesizes the patterns.

Identify common software vulnerabilities like buffer overflows and cross-site scripting.

Facilitation TipFor the Gallery Walk, position OWASP Top 10 posters at stations and have students rotate in small groups to discuss one vulnerability per stop.

What to look forProvide students with a small, intentionally vulnerable code module. In pairs, students act as code reviewers, identifying at least two security flaws. They then write a brief report for each flaw, explaining the issue and proposing a corrected code snippet.

UnderstandApplyAnalyzeCreateRelationship SkillsSocial Awareness
Generate Complete Lesson

Activity 03

Collaborative Problem-Solving45 min · Small Groups

Design Workshop: Secure Coding Guidelines

Small groups are assigned the role of a lead developer creating a one-page secure coding guide for new team members. Each group drafts guidelines for input validation, authentication, error handling, and dependency management. Groups exchange drafts and use a rubric to identify gaps, then refine their guide based on peer feedback before a final class share-out.

Design a set of secure coding guidelines for a development team.

Facilitation TipIn the Design Workshop, provide a checklist of secure coding guidelines and have students justify each item’s inclusion before applying it to sample code.

What to look forFacilitate a class discussion using the prompt: 'Imagine you are leading a small development team building a new social media app. What are the top three secure coding practices you would mandate for your team, and why are they critical for protecting user privacy and data?'

ApplyAnalyzeEvaluateCreateRelationship SkillsDecision-MakingSelf-Management
Generate Complete Lesson

A few notes on teaching this unit

Teach this topic by having students confront real vulnerabilities firsthand rather than memorizing a list of risks. Research shows that students retain security concepts better when they debug flawed code than when they read about them. Avoid lectures that separate theory from practice; instead, weave security principles into coding exercises to reinforce their relevance.

By the end of these activities, students should confidently identify common vulnerabilities in code, explain why they occur, and apply secure coding practices to fix them. They should also recognize that security is everyone’s responsibility, not an afterthought.

Watch Out for These Misconceptions

  • During the Gallery Walk, some students may assume that security is only the security team's responsibility.

    During the Gallery Walk, direct students to the OWASP Top 10 posters that highlight developer-introduced vulnerabilities, such as injection and broken authentication, to emphasize that most risks originate in code written by developers.

  • During the Code Review Challenge, students might believe input validation is only necessary for user-facing forms.

    During the Code Review Challenge, point out how the vulnerable snippets often include API responses and internal service calls, showing that validation is required for all external data, not just visible forms.

  • During the Design Workshop, students may think using a framework automatically protects against vulnerabilities.

    During the Design Workshop, use framework documentation to demonstrate how misuse, such as disabling security features or using raw SQL queries, reintroduces vulnerabilities the framework was meant to prevent.

Methods used in this brief

More in Network Architecture and Cryptography

Network Fundamentals: OSI and TCP/IP Models

Students learn about the layered architecture of networks using the OSI and TCP/IP models, understanding how data flows.

2 methodologies

Internet Protocols: TCP/IP, DNS, HTTP

Students study TCP/IP, DNS, and HTTP in detail, simulating how packets move across a distributed network.

2 methodologies

Routing and Switching

Students explore how routers and switches direct network traffic, understanding concepts like IP addressing and subnetting.

2 methodologies

Wireless Networks and Mobile Computing

Students investigate the principles of wireless communication, Wi-Fi security, and the challenges of mobile computing.

2 methodologies

Common Cybersecurity Threats and Attack Vectors

Students analyze common attack vectors like SQL injection, man-in-the-middle, and social engineering.

2 methodologies