references.bib

@book{dirksen2015design,
  title={Design for how people learn},
  author={Dirksen, Julie},
  year={2015},
  publisher={New Riders}
}

@inproceedings{xie2011programmers,  title={Why do programmers make security errors?},  author={Xie, Jing and Lipford, Heather Richter and Chu, Bill},  booktitle={Visual Languages and Human-Centric Computing (VL/HCC), 2011 IEEE Symposium on},  pages={161--164},  year={2011},  organization={IEEE}}

@inproceedings{zhu2013,  title={Interactive support for secure programming education},  author={Zhu, Jun and Lipford, Heather Richter and Chu, Bill},  booktitle={Proceeding of the 44th ACM technical symposium on Computer science education},  pages={687--692},  year={2013},  organization={ACM}}

@inproceedings{whitney2015embedding,  title={Embedding secure coding instruction into the IDE: A field study in an advanced CS course},  author={Whitney, Michael and Lipford-Richter, Heather and Chu, Bill and Zhu, Jun},  booktitle={Proceedings of the 46th ACM Technical Symposium on Computer Science Education},  pages={60--65},  year={2015},  organization={ACM}}

@inproceedings{zhu2015mitigating,  title={Mitigating access control vulnerabilities through interactive static analysis},  author={Zhu, Jun and Chu, Bill and Lipford, Heather and Thomas, Tyler},  booktitle={Proceedings of the 20th ACM Symposium on Access Control Models and Technologies},  pages={199--209},  year={2015},  organization={ACM}}

@article{zhu2014supporting,  title={Supporting secure programming in web applications through interactive static analysis},  author={Zhu, Jun and Xie, Jing and Lipford, Heather Richter and Chu, Bill},  journal={Journal of advanced research},  volume={5},  number={4},  pages={449--462},  year={2014},  publisher={Elsevier}}

@inproceedings{xie2011,  title={Idea: Interactive Support for Secure Software Development.},  author={Xie, Jing and Chu, Bill and Lipford, Heather Richter},  booktitle={ESSoS},  pages={248--255},  year={2011},  organization={Springer}}

@inproceedings{xie2011aside,  title={{ASIDE}: {IDE} support for web application security},  author={Xie, Jing and Chu, Bill and Lipford, Heather Richter and Melton, John T},  booktitle={Proceedings of the 27th Annual Computer Security Applications Conference},  pages={267--276},  year={2011},  organization={ACM}}

@inproceedings{xie2012,  title={Evaluating interactive support for secure programming},  author={Xie, Jing and Lipford, Heather and Chu, Bei-Tseng},  booktitle={Proceedings of the SIGCHI Conference on Human Factors in Computing Systems},  pages={2707--2716},  year={2012},  organization={ACM}}

@inproceedings{baset2017ide,
  title={Ide plugins for detecting input-validation vulnerabilities},
  author={Baset, Aniqua Z and Denning, Tamara},
  booktitle={2017 IEEE Security and Privacy Workshops (SPW)},
  pages={143--146},
  year={2017},
  organization={IEEE}
}

@inproceedings{cruzes2017security,  title={How is Security Testing Done in Agile Teams? A Cross-Case Analysis of Four Software Teams},  author={Cruzes, Daniela Soares and Felderer, Michael and Oyetoyan, Tosin Daniel and Gander, Matthias and Pekaric, Irdin},  booktitle={Int'l Conf.\ on Agile Software Development},  pages={201--216},  year={2017},  organization={Springer}}

@inproceedings{morrison2017surveying,  title={Surveying Security Practice Adherence in Software Development},  author={Morrison, Patrick and Smith, Benjamin H and Williams, Laurie},  booktitle={Proceedings of the Hot Topics in Science of Security: Symposium and Bootcamp},  pages={85--94},  year={2017},  organization={ACM}}

@article{sharma2017,  title={Aspects of Enhancing Security in Software Development Life Cycle},  author={Sharma, Anuradha and Misra, Praveen Kumar},  journal={Advances in Computational Sciences and Technology},  volume={10},  number={2},  pages={203--210},  year={2017}}

@article{banerjee2009software,  title={Software Security Rules, SDLC Perspective},  author={Banerjee, C and Pandey, SK},  journal={arXiv preprint arXiv:0911.0494},  year={2009}}

@inproceedings{poller2017can,  title={Can Security Become a Routine?: A Study of Organizational Change in an Agile Software Development Group.},  author={Poller, Andreas and Kocksch, Laura and T{\"u}rpe, Sven and Epp, Felix Anand and Kinder-Kurlanda, Katharina},  booktitle={CSCW},  pages={2489--2503},  year={2017}}

@inproceedings{lipfordimpact,
  title={The Impact of a Structured Application Development Framework on Web Application Security},
  author={Lipford, Heather Richter and Xie, Jing and Stranathan, Will and Oakley, Daniel and Chu, Bei-Tseng},
  booktitle={Proceedings of the 14th Colloquium for Information Systems Security Education},
  pages={212--219},
  year={2010},
  organization={Baltimore Marriott Inner Harbor}
}

@inproceedings{tabassum2017comparing,  title={Comparing Educational Approaches to Secure Programming: Tool vs. TA},  author={Tabassum, Madiha and Watson, Stacey and Lipford, Heather Richter},  booktitle={Symposium on Usable Privacy and Security (SOUPS)},  year={2017}}

@inproceedings{zhioua2017formal,  title={Formal Specification and Verification of Security Guidelines},  author={Zhioua, Zeineb and Roudier, Yves and Ameur, Rabea Boulifa},  booktitle={Dependable Computing (PRDC), 2017 IEEE 22nd Pacific Rim International Symposium on},  pages={267--273},  year={2017},  organization={IEEE}}

@article{hodge2003comparison,
  title={A comparison of standard spell checking algorithms and a novel binary neural approach},
  author={Hodge, Victoria J and Austin, Jim},
  journal={IEEE transactions on knowledge and data engineering},
  volume={15},
  number={5},
  pages={1073--1081},
  year={2003},
  publisher={IEEE}
}

@inproceedings{chen2002mops,
  title={MOPS: an infrastructure for examining security properties of software},
  author={Chen, Hao and Wagner, David},
  booktitle={Proceedings of the 9th ACM conference on Computer and communications security},
  pages={235--244},
  year={2002},
  organization={ACM}
}

@ARTICLE{findbugs2008, 
author={N. Ayewah and D. Hovemeyer and J. D. Morgenthaler and J. Penix and W. Pugh}, 
journal={IEEE Software}, 
title={Using Static Analysis to Find Bugs}, 
year={2008}, 
volume={25}, 
number={5}, 
pages={22-29}, 
keywords={Java;SQL;public domain software;security of data;software engineering;FindBugs;Java;SQL injection;open source static-analysis tool;runtime errors;security violations;software development;Computer bugs;Educational institutions;Java;Open source software;Production;Programming;Security;Software quality;Software tools;Testing;FindBugs;bug patterns;code quality;software defects;software quality;static analysis}, 
doi={10.1109/MS.2008.130}, 
ISSN={0740-7459}, 
month={Sept},}

@inproceedings{ayewah2007evaluating,
  title={Evaluating static analysis defect warnings on production software},
  author={Ayewah, Nathaniel and Pugh, William and Morgenthaler, J David and Penix, John and Zhou, YuQian},
  booktitle={Proc.\ 7th workshop on Program analysis for software tools and engineering},
  pages={1--8},
  year={2007},
  OPTorganization={ACM}
}

@article{damm2006faults,
  title={Faults-slip-through—a concept for measuring the efficiency of the test process},
  author={Damm, Lars-Ola and Lundberg, Lars and Wohlin, Claes},
  journal={Software Process: Improvement and Practice},
  volume={11},
  number={1},
  pages={47--59},
  year={2006},
  publisher={Wiley Online Library}
}
@article{briand2000comprehensive,
  title={A comprehensive evaluation of capture-recapture models for estimating software defect content},
  author={Briand, Lionel C and El Emam, Khaled and Freimut, Bernd G and Laitenberger, Oliver},
  journal={IEEE Transactions on Software Engineering},
  volume={26},
  number={6},
  pages={518--540},
  year={2000},
  publisher={IEEE}
}
@inproceedings{baca2008evaluating,
  title={Evaluating the cost reduction of static code analysis for software security},
  author={Baca, Dejan and Carlsson, Bengt and Lundberg, Lars},
  booktitle={Proc.\ 3rd ACM SIGPLAN workshop on Programming languages and analysis for security},
  pages={79--88},
  year={2008},
  organization={ACM}
}

@book{chess2007secure,
  title={Secure programming with static analysis},
  author={Chess, Brian and West, Jacob},
  year={2007},
  publisher={Pearson Education}
}

@inproceedings{livshits2005finding,
  title={Finding Security Vulnerabilities in Java Applications with Static Analysis.},
  author={Livshits, V Benjamin and Lam, Monica S},
  booktitle={USENIX Security Symposium},
  volume={14},
  pages={18--18},
  year={2005}
}

@inproceedings{turpe2016penetration,
  title={Penetration Tests a Turning Point in Security Practices? Organizational Challenges and Implications in a Software Development Team.},
  author={T{\"u}rpe, Sven and Kocksch, Laura and Poller, Andreas},
  booktitle={WSIW@ SOUPS},
  year={2016}
}

@article{li2017static,
  title={Static analysis of android apps: A systematic literature review},
  author={Li, Li and Bissyand{\'e}, Tegawend{\'e} F and Papadakis, Mike and Rasthofer, Siegfried and Bartel, Alexandre and Octeau, Damien and Klein, Jacques and Traon, Le},
  journal={Information and Software Technology},
  volume={88},
  pages={67--95},
  year={2017},
  publisher={Elsevier}
}

@inproceedings{jovanovic2006pixy,
  title={Pixy: A static analysis tool for detecting web application vulnerabilities},
  author={Jovanovic, Nenad and Kruegel, Christopher and Kirda, Engin},
  booktitle={Security and Privacy, 2006 IEEE Symposium on},
  pages={6--pp},
  year={2006},
  organization={IEEE}
}

@article{chess2004static,
  title={Static analysis for security},
  author={Chess, Brian and McGraw, Gary},
  journal={IEEE Security \& Privacy},
  volume={2},
  number={6},
  pages={76--79},
  year={2004},
  publisher={IEEE}
}

@INPROCEEDINGS{Scandariato2013, 
author={R. Scandariato and J. Walden and W. Joosen}, 
booktitle={24th Int'l Symp.\ on Software Reliability Engineering (ISSRE)}, 
title={Static analysis versus penetration testing: A controlled experiment}, 
year={2013}, 
volume={}, 
number={}, 
pages={451-460}, 
keywords={program diagnostics;program testing;public domain software;automated static analysis;black box penetration testing;open source blogging applications;Context;Databases;Manuals;Productivity;Security;Software;Testing}, 
doi={10.1109/ISSRE.2013.6698898}, 
ISSN={1071-9458}, 
month={Nov},}

@book{armsrace,
 editor = {Larsen, Per and Sadeghi, Ahmad-Reza},
 title = {The Continuing Arms Race: Code-Reuse Attacks and Defenses},
 year = {2018},
 isbn = {978-1-97000-183-9},
 publisher = {Association for Computing Machinery and Morgan \&\#38; Claypool},
 address = {New York, NY, USA},
} 

@InProceedings{securitytestingagile,
author="Cruzes, Daniela Soares
and Felderer, Michael
and Oyetoyan, Tosin Daniel
and Gander, Matthias
and Pekaric, Irdin",
editor="Baumeister, Hubert
and Lichter, Horst
and Riebisch, Matthias",
title="How is Security Testing Done in Agile Teams? A Cross-Case Analysis of Four Software Teams",
booktitle="Agile Processes in Software Engineering and Extreme Programming",
year="2017",
publisher="Springer International Publishing",
address="Cham",
pages="201--216",
isbn="978-3-319-57633-6"
}

@inproceedings{futcher2008guidelines,
  title={Guidelines for secure software development},
  author={Futcher, Lynn and von Solms, Rossouw},
  booktitle={Proceedings of the 2008 annual research conference of the South African Institute of Computer Scientists and Information Technologists on IT research in developing countries: riding the wave of technology},
  pages={56--65},
  year={2008},
  organization={ACM}
}

@misc{ESAPI,
  title={{OWASP Enterprise Security API Toolkits - Datasheet}},
  key={OWASP},
  howpublished={\url{https://www.owasp.org/images/8/81/Esapi-datasheet.pdf}}
}

@inproceedings{taintdroid,
 author = {Enck, William and Gilbert, Peter and Chun, Byung-Gon and Cox, Landon P. and Jung, Jaeyeon and McDaniel, Patrick and Sheth, Anmol N.},
 title = {TaintDroid: An Information-flow Tracking System for Realtime Privacy Monitoring on Smartphones},
 booktitle = {Proc.\ 9th USENIX Conf.\ on Operating Systems Design and Implementation},
 OPTseries = {OSDI'10},
 year = {2010},
 OPTlocation = {Vancouver, BC, Canada},
 pages = {393--407},
 OPTnumpages = {15},
 OPTurl = {http://dl.acm.org/citation.cfm?id=1924943.1924971},
 OPTacmid = {1924971},
 OPTpublisher = {USENIX Association},
 OPTaddress = {Berkeley, CA, USA},
} 

@book{schumacher2013security,
  title={Security Patterns: Integrating security and systems engineering},
  author={Schumacher, Markus and Fernandez-Buglioni, Eduardo and Hybertson, Duane and Buschmann, Frank and Sommerlad, Peter},
  year={2013},
  publisher={John Wiley \& Sons}
}

@inproceedings{witteman2008secure,
  title={Secure application programming in the presence of side channel attacks},
  author={Witteman, Marc and Oostdijk, Martijn},
  booktitle={RSA conference},
  volume={2008},
  year={2008}
}

@misc{RSAvideo,
  title={{How to Transform Developers into Security People}},
  key={RSQ},
  author={Christopher Romeo},
  howpublished={\url{https://www.rsaconference.com/videos/how-to-transform-developers-into-security-people}}
}

@inproceedings{sadowski2015tricorder,
  title={Tricorder: Building a program analysis ecosystem},
  author={Sadowski, Caitlin and Van Gogh, Jeffrey and Jaspan, Ciera and S{\"o}derberg, Emma and Winter, Collin},
  booktitle={Proceedings of the 37th International Conference on Software Engineering-Volume 1},
  pages={598--608},
  year={2015},
  organization={IEEE Press}
}

@book{syed2015black,
  title={Black Box Thinking: Why Most People Never Learn from Their Mistakes--But Some Do},
  author={Syed, Matthew},
  year={2015},
  publisher={Penguin}
}

@article{bessey2010few,
  title={A few billion lines of code later: using static analysis to find bugs in the real world},
  author={Bessey, Al and Block, Ken and Chelf, Ben and Chou, Andy and Fulton, Bryan and Hallem, Seth and Henri-Gros, Charles and Kamsky, Asya and McPeak, Scott and Engler, Dawson},
  journal={Communications of the ACM},
  volume={53},
  number={2},
  pages={66--75},
  year={2010},
  publisher={ACM}
}

@book{johnson1977lint,
  title={Lint, a C program checker},
  author={Johnson, Stephen C},
  year={1977},
  publisher={Citeseer}
}

@inproceedings{paletov2018inferring,
  title={Inferring crypto API rules from code changes},
  author={Paletov, Rumen and Tsankov, Petar and Raychev, Veselin and Vechev, Martin},
  booktitle={Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation},
  pages={450--464},
  year={2018},
  organization={ACM}
}

@article{brown2016build,
  title={How to build static checking systems using orders of magnitude less code},
  author={Brown, Fraser and N{\"o}tzli, Andres and Engler, Dawson},
  journal={ACM SIGPLAN Notices},
  volume={51},
  number={4},
  pages={143--157},
  year={2016},
  publisher={ACM}
}

@inproceedings{johnson2013don,
  title={Why don't software developers use static analysis tools to find bugs?},
  author={Johnson, Brittany and Song, Yoonki and Murphy-Hill, Emerson and Bowdidge, Robert},
  booktitle={Proceedings of the 2013 International Conference on Software Engineering},
  pages={672--681},
  year={2013},
  organization={IEEE Press}
}

@inproceedings{layman2007toward,
  title={Toward reducing fault fix time: Understanding developer behavior for the design of automated fault detection tools},
  author={Layman, Lucas and Williams, Laurie and Amant, Robert St},
  booktitle={Empirical Software Engineering and Measurement, 2007. ESEM 2007. First International Symposium on},
  pages={176--185},
  year={2007},
  organization={IEEE}
}

@article{whitney2018embedding,
  title={Embedding Secure Coding Instruction Into the IDE: Complementing Early and Intermediate CS Courses With ESIDE},
  author={Whitney, Michael and Lipford, Heather Richter and Chu, Bill and Thomas, Tyler},
  journal={Journal of Educational Computing Research},
  volume={56},
  number={3},
  pages={415--438},
  year={2018},
  publisher={SAGE Publications Sage CA: Los Angeles, CA}
}

@inproceedings{ayewah2010google,
  title={The google findbugs fixit},
  author={Ayewah, Nathaniel and Pugh, William},
  booktitle={Proc.\ 19th Int'l Symp.\ on Software testing and analysis},
  pages={241--252},
  year={2010},
  OPTorganization={ACM}
}

@inproceedings{ayewah2007using,
  title={Using findbugs on production software},
  author={Ayewah, Nathaniel and Pugh, William and Morgenthaler, J David and Penix, John and Zhou, YuQian},
  booktitle={Companion to the 22nd Conf.\ on Object-oriented programming systems and applications},
  pages={805--806},
  year={2007},
  OPTorganization={ACM}
}

@inproceedings{weimer2009automatically,
  title={Automatically finding patches using genetic programming},
  author={Weimer, Westley and Nguyen, ThanhVu and Le Goues, Claire and Forrest, Stephanie},
  booktitle={Proc.\ 31st Int'l Conf.\ on Software Engineering},
  pages={364--374},
  year={2009},
  organization={IEEE Computer Society}
}

@inproceedings{kim2013automatic,
  title={Automatic patch generation learned from human-written patches},
  author={Kim, Dongsun and Nam, Jaechang and Song, Jaewoo and Kim, Sunghun},
  booktitle={Proceedings of the 2013 International Conference on Software Engineering},
  pages={802--811},
  year={2013},
  organization={IEEE Press}
}

@article{long2016automatic,
  title={Automatic patch generation by learning correct code},
  author={Long, Fan and Rinard, Martin},
  journal={ACM SIGPLAN Notices},
  volume={51},
  number={1},
  pages={298--312},
  year={2016},
  publisher={ACM}
}

@misc{fsca,
    author = "{Micro Focus}",
    title  = "{Fortify Static Code Analyzer: Static Application Security Testing}",
    howpublished = "\url{https://www.microfocus.com/en-us/products/static-code-analysis-sast/overview}", 
    note   = "Last accessed 2019-10-14",
}

@misc{netflixprizeforum,
    author = "{Netflix}",
    title  = "{Netflix Prize: Forum / Grand Prize awarded to team BellKor’s Pragmatic Chaos}",
    howpublished = "\url{https://web.archive.org/web/20090924184639/http://www.netflixprize.com/community/viewtopic.php?id=1537}", 
    note   = "(Archived) Last accessed 2021-09-23",
}

@misc{netflixprizeleaderboard,
    author = "{Netflix}",
    title  = "{Netflix Prize: View Leaderboard}",
    howpublished = "\url{https://web.archive.org/web/20091227111134/http://www.netflixprize.com/leaderboard}", 
    note   = "(Archived) Last accessed 2021-09-23",
}

https://web.archive.org/web/20091227111134/http://www.netflixprize.com/leaderboard

@misc{fsca-curstom-rules,
    author = "{Micro Focus}",
    title  = "{Fortify SCA Custom Rules Reference}",
    howpublished = "\url{http://bigsec.net/b52/Fortify/rules-schema/}", 
    note   = "Last accessed 2019-10-15"
}

@misc{fod,
    author = "{Micro Focus}",
    title  = "{Fortify on Demand: Application Security as a Service}",
    howpublished = "\url{https://www.microfocus.com/en-us/products/application-security-testing/overview}", 
    note   = "Last accessed 2019-10-15",
}

@misc{fsa,
    author = "{Micro Focus}",
    title  = "{Secure SDLC - IDEs}",
    howpublished = "\url{https://www.microfocus.com/en-us/marketing/secure-sdlc-and-devops#section3}", 
    note   = "Last accessed 2019-10-15"
}

@misc{shipshape,
    author = "{Google}",
    title  = "{Github: Shipshape}",
    howpublished = "\url{https://github.com/google/shipshape}", 
    note   = "Last accessed 2019-10-15"
}
@misc{spotbugs,
    author = "{SpotBugs}",
    title  = "{SpotBugs: Find bugs in Java Programs}",
    howpublished = "\url{https://spotbugs.github.io/}", 
    note   = "Last accessed 2019-10-15"
}
@misc{findbugs,
    author = "{University of Maryland}",
    title  = "{FindBugs™ - Find Bugs in Java Programs}",
    howpublished = "\url{http://findbugs.sourceforge.net/}", 
    note   = "Last accessed 2019-10-15"
}
@misc{spotbugsdescriptions,
    author = "{SpotBugs}",
    title  = "{Bug descriptions}",
    howpublished = "\url{https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#security-security}", 
    note   = "Last accessed 2019-10-15"
}

@misc{spotbugsapi,
    author = "{SpotBugs}",
    title  = "{SpotBugs API Documentation}",
    howpublished = "\url{https://javadoc.io/doc/com.github.spotbugs/spotbugs/3.1.10}", note   = "Last accessed 2019-10-15"
}

@misc{findsecbugs,
    author = "{FindSecBugs}",
    title  = "{Find Security Bugs: The SpotBugs plugin for security audits of Java web applications}",
    howpublished = "\url{https://find-sec-bugs.github.io/}", 
    note   = "Last accessed 2019-10-15"
}

@misc{veracode,
    author = "{Veracode}",
    title  = "{Veracode Static Analysis: Don't Just Find Security Defects in Your Code - Fix Them Fast}",
    howpublished = "\url{https://www.veracode.com/products/binary-static-analysis-sast}", 
    note   = "Last accessed 2019-10-15"
}


@misc{cxaudit,
    author = "{Checkmarx}",
    title  = "{CxAudit Overview}",
    howpublished = "\url{https://checkmarx.atlassian.net/wiki/spaces/KC/pages/5406733/CxAudit+Overview}", 
    note   = "Last accessed 2019-10-15"
}

@misc{aside,
    author = "{OWASP}",
    title  = "{ASIDE Project}",
    howpublished = "\url{https://www.owasp.org/index.php/OWASP\_ASIDE\_Project}", 
    note   = "Last accessed 2019-10-16"
}

@misc{eside,
    author = "{UNC Charlotte College of Computing and Informatics}",
    title  = "{Educational Security in the IDE (ESIDE)}",
    howpublished = "\url{https://eside.uncc.edu/}", 
    note   = "Last accessed 2019-10-16"
}

@misc{snyk,
    author = "{Snyk}",
    title  = "{Open Source Security Platform}",
    howpublished = "\url{https://snyk.io/}", 
    note   = "Last accessed 2019-10-22"
}

@misc{secureassist,
    author = "{Synopsys}",
    title  = "{SecureAssist Overview}",
    howpublished = "\url{https://community.synopsys.com/s/article/SecureAssist-Overview}", 
    note   = "Last accessed 2019-10-25"
}

@misc{secureassistide,
    author = "{Synopsys}",
    title  = "{How to use SecureAssist IntelliJ Plugin}",
    howpublished = "\url{https://community.synopsys.com/s/article/How-to-Use-SecureAssist-IntelliJ-Plug-in}", 
    note   = "Last accessed 2019-10-25"
}

@misc{sastinide,
    author = "{Synopsys}",
    title  = "{SAST in IDE
(SecureAssist)}",
    howpublished = "\url{https://www.synopsys.com/content/dam/synopsys/sig-assets/datasheets/secureassist-datasheet.pdf}", 
    note   = "Last accessed 2019-10-25"
}

@misc{secureassistruletutorial,
    author = "{Synopsys}",
    title  = "{SecureAssist Custom Rule Tutorial}",
    howpublished = "\url{http://download.asteriskresearch.com/2.4/SecureAssist%20Custom%20Rule%20Tutorial%2010-2014.pdf}", 
    note   = "Last accessed 2019-10-25"
}

@book{wohlin2012experimentation,
  title={Experimentation in software engineering},
  author={Wohlin, Claes and Runeson, Per and H{\"o}st, Martin and Ohlsson, Magnus C and Regnell, Bj{\"o}rn and Wessl{\'e}n, Anders},
  year={2012},
  publisher={Springer Science \& Business Media}
}

@article{hadi2016driving,
  title={Driving learner engagement and completion within MOOCs: a case for structured learning support},
  author={HADI, Syed Munib and RAWSON, Rebecca},
  journal={Proceedings of the European Stakeholder Summit on experiences and best practices in and around MOOCs (EMOOCS 2016)},
  pages={81},
  year={2016},
  publisher={BoD--Books on Demand}
}

@article{hamari2016challenging,
  title={Challenging games help students learn: An empirical study on engagement, flow and immersion in game-based learning},
  author={Hamari, Juho and Shernoff, David J and Rowe, Elizabeth and Coller, Brianno and Asbell-Clarke, Jodi and Edwards, Teon},
  journal={Computers in human behavior},
  volume={54},
  pages={170--179},
  year={2016},
  publisher={Elsevier}
}

@inproceedings{van2008difficulty,  
title={Difficulty Scaling through Incongruity},  
author={Van Lankveld, Giel and Spronck, Pieter and Rauterberg, Matthias},  
booktitle={Proceedings of the Fourth Artificial Intelligence and Interactive Digital Entertainment Conference},
pages={228--229},  
year={2008},  
organization={AIIDE}
}

@misc{shiftleftsurvey,
      title  = "Developer Productivity \& Security Survey",
      author = "ShiftLeft",
      howpublished = "\url{https://go.shiftleft.io/developer-productivity-and-security-survey}",
      note   = "Last accessed 2020-12-22"
    }
    
@misc{gitlabsurvey,
      title  = "Mapping the DevSecOps Landscape: 2020 Survey Results",
      author = "GitLab",
      howpublished    = "\url{https://about.gitlab.com/resources/downloads/2020-devsecops-report.pdf}",
      note   = "Last accessed 2021-01-26"
    }
    
@misc{owasptop10data,
      title  = "OWASP Top 10 Datacall submissions",
      author = "OWASP",
      howpublished    = "\url{https://github.com/OWASP/Top10/tree/master/2017/datacall/submissions}",
      note   = "Last accessed 2020-12-19"
}  

@misc{trustwave,
      title  = "Global Security Report",
      author = "Trustwave",
      howpublished    = "\url{https://www2.trustwave.com/rs/815-RFM-693/images/Trustwave_2018-GSR_20180329_Interactive.pdf}",
      note = "Last accessed 2018-05-22"
}  

@misc{softwareassurance,
    author = "{U.S. Department of Homeland Security}",
    title  = "{Infosheet Software Assurance}",
    howpublished = "\url{https://www.us-cert.gov/sites/default/files/publications/infosheet_SoftwareAssurance.pdf}", 
    note = "Last accessed 2018-05-22",
}

@misc{stackoverflow2020,
    author = "{StackOverflow}",
    title  = "{2020 Developer Survey}",
    howpublished = "\url{https://insights.stackoverflow.com/survey/2020}", 
    note = "Last accessed 2021-06-09",
}

@misc{bsimm9,
  title={Building Security in Maturity Model 9(BSIMM)},
  author={McGraw, Gary and Migues, Sammy and West, Jacob},
  howpublished = "\url{https://www.bsimm.com/}",
  note={Last accessed 2018-05-22}
}

@misc{bsimm11,
  title={Building Security in Maturity Model 11(BSIMM)},
  author={McGraw, Gary and Migues, Sammy and West, Jacob},
  howpublished = "\url{https://www.bsimm.com/}",
  note={Last accessed 2020-12-22}
}

@article{kern2014securing,
  title={Securing the tangled web},
  author={Kern, Christoph},
  journal={Queue},
  volume={12},
  number={7},
  pages={40--55},
  year={2014},
  publisher={ACM New York, NY, USA}
}

@book{magis2017computerized,
  title={Computerized adaptive and multistage testing with R: Using packages catr and mstr},
  author={Magis, David and Yan, Duanli and Von Davier, Alina A},
  year={2017},
  publisher={Springer}
}

@article{weiss1984application,
  title={Application of computerized adaptive testing to educational problems},
  author={Weiss, David J and Kingsbury, G Gage},
  journal={Journal of Educational Measurement},
  volume={21},
  number={4},
  pages={361--375},
  year={1984},
  publisher={Wiley Online Library}
}

@article{ling2017computerized,
  title={Is a computerized adaptive test more motivating than a fixed-item test?},
  author={Ling, Guangming and Attali, Yigal and Finn, Bridgid and Stone, Elizabeth A},
  journal={Applied psychological measurement},
  volume={41},
  number={7},
  pages={495--511},
  year={2017},
  publisher={Sage Publications Sage CA: Los Angeles, CA}
}

@article{rasch1960probabilistic,
  title={Probabilistic models for some intelligence and attainment tests: Danish institute for Educational Research},
  author={Rasch, George},
  journal={Denmark Paedogiska, Copenhagen},
  year={1960}
}

@article{dodd1995computerized,
  title={Computerized adaptive testing with polytomous items},
  author={Dodd, Barbara G and De Ayala, RJ and Koch, William R},
  journal={Applied psychological measurement},
  volume={19},
  number={1},
  pages={5--22},
  year={1995},
  publisher={Sage Publications Sage CA: Thousand Oaks, CA}
}

@misc{doddevsecops,
  title={Department of Defense (DoD) Enterprise DevSecOps Reference Design, Department of Defense (DoD) Chief Information Officer},
  author={Lam, Thomas and Chaillan, Nicolas},
  howpublished = "\url{https://dodcio.defense.gov/Portals/0/Documents/DoD\%20Enterprise\%20DevSecOps\%20Reference\%20Design\%20v1.0_Public\%20Release.pdf}",
  note={Last accessed 2021-07-05}
}

@misc{snyk2020,
  title={The State of Open Source Security Report 2020},
  author={Snyk},
  howpublished = "\url{https://go.snyk.io/SoOSS-Report-2020.html}",
  note={Last accessed 2021-09-28}
}

@inproceedings{nielsen1993mathematical,
  title={A mathematical model of the finding of usability problems},
  author={Nielsen, Jakob and Landauer, Thomas K},
  booktitle={Proceedings of the INTERACT'93 and CHI'93 conference on Human factors in computing systems},
  pages={206--213},
  year={1993}
}

@book{liu2015comparing,
  title={Comparing Welch ANOVA, a Kruskal-Wallis test, and traditional ANOVA in case of heterogeneity of variance},
  author={Liu, Hangcheng},
  year={2015},
  publisher={Virginia Commonwealth University}
}

@article{games1976pairwise,
  title={Pairwise multiple comparison procedures with unequal n’s and/or variances: a Monte Carlo study},
  author={Games, Paul A and Howell, John F},
  journal={Journal of Educational Statistics},
  volume={1},
  number={2},
  pages={113--125},
  year={1976},
  publisher={Sage Publications Sage CA: Thousand Oaks, CA}
}

@misc{nondot,
  title={Chris Lattner's Homepage},
  author={Chris Lattner},
  howpublished = "\url{http://nondot.org/sabre/}",
  note={Last accessed 2021-08-18}
}

@misc{jssec,
    author = "Japan Smartphone Security Association",
    note   = "Last accessed 2021-07-25",
    title  = "{Android Application Secure Design/Secure Coding Guidebook}",
    howpublished = "\url{http://www.jssec.org/dl/android_securecoding_en.pdf}", 
}

@misc{cxsast,
    author = "{Checkmarx}",
    title  = "{Static Application Security Testing: Secure Your Code from the Very Beginning}",
    howpublished = "\url{https://www.checkmarx.com/products/static-application-security-testing/}", 
    note   = "Last accessed 2019-10-15"
}

@inproceedings{johnson2015bespoke,
  title={Bespoke tools: adapted to the concepts developers know},
  author={Johnson, Brittany and Pandita, Rahul and Murphy-Hill, Emerson and Heckman, Sarah},
  booktitle={Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering},
  pages={878--881},
  year={2015}
}

@article{cockburn2014supporting,
  title={Supporting novice to expert transitions in user interfaces},
  author={Cockburn, Andy and Gutwin, Carl and Scarr, Joey and Malacria, Sylvain},
  journal={ACM Computing Surveys (CSUR)},
  volume={47},
  number={2},
  pages={1--36},
  year={2014},
  publisher={ACM New York, NY, USA}
}

@inproceedings{sharma2017collaborative,
  title={Collaborative filtering-based recommender system: Approaches and research challenges},
  author={Sharma, Ritu and Gopalani, Dinesh and Meena, Yogesh},
  booktitle={2017 3rd international conference on computational intelligence \& communication technology (CICT)},
  pages={1--6},
  year={2017},
  organization={IEEE}
}

@article{yu2004probabilistic,
  title={Probabilistic memory-based collaborative filtering},
  author={Yu, Kai and Schwaighofer, Anton and Tresp, Volker and Xu, Xiaowei and Kriegel, H-P},
  journal={IEEE Transactions on Knowledge and Data Engineering},
  volume={16},
  number={1},
  pages={56--69},
  year={2004},
  publisher={IEEE}
}

@inproceedings{sarwar2001item,
  title={Item-based collaborative filtering recommendation algorithms},
  author={Sarwar, Badrul and Karypis, George and Konstan, Joseph and Riedl, John},
  booktitle={Proceedings of the 10th international conference on World Wide Web},
  pages={285--295},
  year={2001}
}

@inproceedings{sarwar2002recommender,
  title={Recommender systems for large-scale e-commerce: Scalable neighborhood formation using clustering},
  author={Sarwar, Badrul M and Karypis, George and Konstan, Joseph and Riedl, John},
  booktitle={Proceedings of the fifth international conference on computer and information technology},
  volume={1},
  pages={291--324},
  year={2002},
  organization={Citeseer}
}

@article{su2009survey,
  title={A survey of collaborative filtering techniques},
  author={Su, Xiaoyuan and Khoshgoftaar, Taghi M},
  journal={Advances in artificial intelligence},
  year={2009},
  publisher={Hindawi}
}

@inproceedings{hu2008collaborative,
  title={Collaborative filtering for implicit feedback datasets},
  author={Hu, Yifan and Koren, Yehuda and Volinsky, Chris},
  booktitle={2008 Eighth IEEE International Conference on Data Mining},
  pages={263--272},
  year={2008},
  organization={Ieee}
}

@article{Hug2020,
  doi = {10.21105/joss.02174},
  url = {https://doi.org/10.21105/joss.02174},
  year = {2020},
  publisher = {The Open Journal},
  volume = {5},
  number = {52},
  pages = {2174},
  author = {Nicolas Hug},
  title = {Surprise: A Python library for recommender systems},
  journal = {Journal of Open Source Software}
}

@article{Koren2010,
  title={Factor in the neighbors: Scalable and accurate collaborative filtering},
  author={Koren, Yehuda},
  journal={ACM Transactions on Knowledge Discovery from Data (TKDD)},
  volume={4},
  number={1},
  pages={1--24},
  year={2010},
  publisher={ACM New York, NY, USA}
}

@inproceedings{zhou2008large,
  title={Large-scale parallel collaborative filtering for the netflix prize},
  author={Zhou, Yunhong and Wilkinson, Dennis and Schreiber, Robert and Pan, Rong},
  booktitle={International conference on algorithmic applications in management},
  pages={337--348},
  year={2008},
  organization={Springer}
}

@inproceedings{bennett2007netflix,
  title={The netflix prize},
  author={Bennett, James and Lanning, Stan and others},
  booktitle={Proceedings of KDD cup and workshop},
  volume={2007},
  pages={35},
  year={2007},
  organization={New York, NY, USA.}
}

@inproceedings{koren2013collaborative,
  title={Collaborative filtering on ordinal user feedback},
  author={Koren, Yehuda and Sill, Joseph},
  booktitle={Twenty-third international joint conference on artificial intelligence},
  year={2013}
}

@inproceedings{lemire2005slope,
  title={Slope one predictors for online rating-based collaborative filtering},
  author={Lemire, Daniel and Maclachlan, Anna},
  booktitle={Proceedings of the 2005 SIAM International Conference on Data Mining},
  pages={471--475},
  year={2005},
  organization={SIAM}
}

@inproceedings{george2005scalable,
  title={A scalable collaborative filtering framework based on co-clustering},
  author={George, Thomas and Merugu, Srujana},
  booktitle={Fifth IEEE International Conference on Data Mining (ICDM'05)},
  pages={4--pp},
  year={2005},
  organization={IEEE}
}

@article{tanay2005biclustering,
  title={Biclustering algorithms: A survey},
  author={Tanay, Amos and Sharan, Roded and Shamir, Ron},
  journal={Handbook of computational molecular biology},
  volume={9},
  number={1-20},
  pages={122--124},
  year={2005},
  publisher={Citeseer}
}

@article{li2021novel,
  title={A novel Collaborative Filtering recommendation approach based on Soft Co-Clustering},
  author={Li, Man and Wen, Luosheng and Chen, Feiyu},
  journal={Physica A: Statistical Mechanics and its Applications},
  volume={561},
  pages={125140},
  year={2021},
  publisher={Elsevier}
}

@article{breese2013empirical,
  title={Empirical analysis of predictive algorithms for collaborative filtering},
  author={Breese, John S and Heckerman, David and Kadie, Carl},
  journal={arXiv preprint arXiv:1301.7363},
  year={2013}
}

@inproceedings{o1999clustering,
  title={Clustering items for collaborative filtering},
  author={O’Connor, Mark and Herlocker, Jon},
  booktitle={Proceedings of the ACM SIGIR workshop on recommender systems},
  volume={128},
  year={1999},
  organization={Citeseer}
}

@article{heckerman2000dependency,
  title={Dependency networks for inference, collaborative filtering, and data visualization},
  author={Heckerman, David and Chickering, David Maxwell and Meek, Christopher and Rounthwaite, Robert and Kadie, Carl},
  journal={Journal of Machine Learning Research},
  volume={1},
  number={Oct},
  pages={49--75},
  year={2000}
}

@article{moreno2016web,
  title={Web mining based framework for solving usual problems in recommender systems. A case study for movies׳ recommendation},
  author={Moreno, Mar{\'\i}a N and Segrera, Saddys and L{\'o}pez, Vivian F and Mu{\~n}oz, Mar{\'\i}a Dolores and S{\'a}nchez, {\'A}ngel Luis},
  journal={Neurocomputing},
  volume={176},
  pages={72--80},
  year={2016},
  publisher={Elsevier}
}

@inproceedings{mnih2008probabilistic,
  title={Probabilistic matrix factorization},
  author={Mnih, Andriy and Salakhutdinov, Russ R},
  booktitle={Advances in neural information processing systems},
  pages={1257--1264},
  year={2008}
}

@article{hoyer2004non,
  title={Non-negative matrix factorization with sparseness constraints.},
  author={Hoyer, Patrik O},
  journal={Journal of machine learning research},
  volume={5},
  number={9},
  year={2004}
}

@article{wang2012nonnegative,
  title={Nonnegative matrix factorization: A comprehensive review},
  author={Wang, Yu-Xiong and Zhang, Yu-Jin},
  journal={IEEE Transactions on knowledge and data engineering},
  volume={25},
  number={6},
  pages={1336--1353},
  year={2012},
  publisher={IEEE}
}

@techreport{sarwar2000application,
  title={Application of dimensionality reduction in recommender system-a case study},
  author={Sarwar, Badrul and Karypis, George and Konstan, Joseph and Riedl, John},
  year={2000},
  institution={Minnesota Univ Minneapolis Dept of Computer Science}
}

@inproceedings{polat2005svd,
  title={SVD-based collaborative filtering with privacy},
  author={Polat, Huseyin and Du, Wenliang},
  booktitle={Proceedings of the 2005 ACM symposium on Applied computing},
  pages={791--795},
  year={2005}
}

@inproceedings{koren2008factorization,
  title={Factorization meets the neighborhood: a multifaceted collaborative filtering model},
  author={Koren, Yehuda},
  booktitle={Proceedings of the 14th ACM SIGKDD international conference on Knowledge discovery and data mining},
  pages={426--434},
  year={2008}
}

@incollection{Ricci2010,
  title={Introduction to recommender systems handbook},
  author={Ricci, Francesco and Rokach, Lior and Shapira, Bracha},
  booktitle={Recommender systems handbook},
  pages={1--35},
  year={2011},
  publisher={Springer}
}

@article{koren2009matrix,
  title={Matrix factorization techniques for recommender systems},
  author={Koren, Yehuda and Bell, Robert and Volinsky, Chris},
  journal={Computer},
  volume={42},
  number={8},
  pages={30--37},
  year={2009},
  publisher={IEEE}
}

@inproceedings{zhang2006learning,
  title={Learning from incomplete ratings using non-negative matrix factorization},
  author={Zhang, Sheng and Wang, Weihong and Ford, James and Makedon, Fillia},
  booktitle={Proceedings of the 2006 SIAM international conference on data mining},
  pages={549--553},
  year={2006},
  organization={SIAM}
}

@article{NMF_algo,
  title={Algorithms for nonnegative matrix factorization with the $\beta$-divergence},
  author={F{\'e}votte, C{\'e}dric and Idier, J{\'e}r{\^o}me},
  journal={Neural computation},
  volume={23},
  number={9},
  pages={2421--2456},
  year={2011},
  publisher={MIT Press}
}

@article{NMF:2014,
  title={An efficient non-negative matrix-factorization-based approach to collaborative filtering for recommender systems},
  author={Luo, Xin and Zhou, Mengchu and Xia, Yunni and Zhu, Qingsheng},
  journal={IEEE Transactions on Industrial Informatics},
  volume={10},
  number={2},
  pages={1273--1284},
  year={2014},
  publisher={IEEE}
}

@misc{robitzsch2021package,
  title={Package ‘TAM’},
  author={Robitzsch, Alexander and Kiefer, Thomas and Wu, Margaret and Robitzsch, Maintainer Alexander and Adams, Wilson and Rcpp, LinkingTo and LSAmitR, RcppArmadillo Enhances},
  year={2021},
  howpublished = "\url{https://cran.r-project.org/web/packages/TAM/TAM.pdf}",
  note={Last accessed 2021-10-05}
}

@article{bartolucci2010point,
    author = {Bartolucci, Francesco and Scrucca, Luca},
    year = {2010},
    month = {12},
    pages = {366-373},
    title = {Point Estimation Methods with Applications to Item Response Theory Models},
    journal = {International Encyclopedia of Education},
    doi = {10.1016/B978-0-08-044894-7.01376-2}
}%

@article{wichers2017owasp,
  title={Owasp top-10 2017},
  author={Wichers, Dave and Williams, Jeff},
  journal={OWASP Foundation},
  year={2017}
}

@article{tsipenyuk2005seven,
  title={Seven pernicious kingdoms: A taxonomy of software security errors},
  author={Tsipenyuk, Katrina and Chess, Brian and McGraw, Gary},
  journal={IEEE Security \& Privacy},
  volume={3},
  number={6},
  pages={81--84},
  year={2005},
  publisher={IEEE}
}

@inproceedings{guo2009ontology,
  title={An ontology-based approach to model common vulnerabilities and exposures in information security},
  author={Guo, Minzhe and Wang, Ju An},
  booktitle={ASEE Southest Section Conference},
  year={2009}
}

@inproceedings{mann1999towards,
  title={Towards a common enumeration of vulnerabilities},
  author={Mann, David E and Christey, Steven M},
  booktitle={2nd Workshop on Research with Security Vulnerability Databases, Purdue University, West Lafayette, Indiana},
  year={1999}
}

@MISC{CVE-2014-0160,
  title = {{CVE}-2014-0160.},
  howpublished = "Available from MITRE, {CVE-ID} {CVE}-2014-0160.",
  month=dec # "~3",
  year = {2013},
  url={http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 },
  urldate={19 April 2015}
}

@article{martin20112011,
  title={2011 CWE/SANS top 25 most dangerous software errors},
  author={Martin, Bob and Brown, Mason and Paller, Alan and Kirby, Dennis and Christey, Steve},
  journal={Common Weakness Enumeration},
  volume={7515},
  year={2011}
}

@article{fowler2001agile,
  title={The agile manifesto},
  author={Fowler, Martin and Highsmith, Jim and others},
  journal={Software development},
  volume={9},
  number={8},
  pages={28--35},
  year={2001},
  publisher={[San Francisco, CA: Miller Freeman, Inc., 1993-}
}

@book{schwaber2004agile,
  title={Agile project management with Scrum},
  author={Schwaber, Ken},
  year={2004},
  publisher={Microsoft press}
}

@article{erich2017qualitative,
  title={A qualitative study of DevOps usage in practice},
  author={Erich, Floris MA and Amrit, Chintan and Daneva, Maya},
  journal={Journal of software: Evolution and Process},
  volume={29},
  number={6},
  pages={e1885},
  year={2017},
  publisher={Wiley Online Library}
}

@article{ebert2016devops,
  title={DevOps},
  author={Ebert, Christof and Gallardo, Gorka and Hernantes, Josune and Serrano, Nicolas},
  journal={Ieee Software},
  volume={33},
  number={3},
  pages={94--100},
  year={2016},
  publisher={IEEE}
}

@misc{gdpr,
  title={Data Protection in the EU},
  author={European Commission},
  howpublished = "\url{https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en}",
  note={Last accessed 2021-09-28}
}


@misc{gdprhackerone,
  title={What Percentage of Your Software Vulnerabilities Have GDPR Implications?},
  author={hackerone},
  howpublished = "\url{https://www.hackerone.com/sites/default/files/2018-01/GDPR\%20Implications-ebook.pdf}",
  note={Last accessed 2021-09-28}
}

@misc{gdprfra,
  title={Your rights matter: Data protection and privacy - Fundamental Rights Survey},
  author={European Union Agency for Fundamental Rights (FRA)},
  howpublished = "\url{https://fra.europa.eu/en/publication/2020/fundamental-rights-survey-data-protection}",
  note={Last accessed 2021-09-28}
}

@inproceedings{cassandra2021analysis,
  title={Analysis of Product Trust, Product Rating and Seller Trust in e-Commerce on Purchase Intention during the COVID-19 Pandemic},
  author={Cassandra, Cadelina and Eni, Yuli and Marcela, Yuriska and Clarissa, Stevania and others},
  booktitle={2021 International Conference on Information Management and Technology (ICIMTech)},
  volume={1},
  pages={522--525},
  year={2021},
  organization={IEEE}
}

@article{ashraf2020role,
  title={The role of continuous trust in usage of online product recommendations},
  author={Ashraf, Muhammad and Ahmad, Jamil and Sharif, Wareesa and Raza, Arslan Ali and Shabbir, Muhammad Salman and Abbas, Mazhar and Thurasamy, Ramayah},
  journal={Online Information Review},
  year={2020},
  publisher={Emerald Publishing Limited}
}

@misc{sbomntia,
  title={SOFTWARE BILL OF MATERIALS},
  author={National Telecommunications and Information Administration},
  howpublished = "\url{https://www.ntia.gov/sbom}",
  note={Last accessed 2021-09-28}
}

@misc{bideneo,
  title={Executive Order 14028: Improving the Nation’s Cybersecurity},
  author={White House Briefing Room},
  howpublished = "\url{https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity}",
  note={Last accessed 2021-09-28}
}

@misc{nistpapers,
  title={Enhancing Software Supply Chain Security: Responses to Call for Position Papers on Standards and Guidelines},
  author={NIST},
  howpublished = "\url{https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/enhancing-software-supply-chain-security}",
  note={Last accessed 2021-09-28}
}

@misc{ctt,
  title={Glossary (Archived)},
  author={National Council on Measurement in Education},
  howpublished = "\url{https://web.archive.org/web/20170722194028/http://www.ncme.org/ncme/NCME/Resource_Center/Glossary/NCME/Resource_Center/Glossary1.aspx?hkey=4bb87415-44dc-4088-9ed9-e8515326a061#anchorC}",
  note={Last accessed 2021-09-30}
}

@misc{iso27k,
  title={ISO/IEC 27001
INFORMATION SECURITY MANAGEMENT},
  author={ISO},
  howpublished = "\url{https://www.iso.org/isoiec-27001-information-security.html}",
  note={Last accessed 2021-09-29}
}


@inproceedings{garzotto2007investigating,
  title={Investigating the educational effectiveness of multiplayer online games for children},
  author={Garzotto, Franca},
  booktitle={Proceedings of the 6th international conference on Interaction design and children},
  pages={29--36},
  year={2007}
}

@article{sweetser2005gameflow,
  title={GameFlow: a model for evaluating player enjoyment in games},
  author={Sweetser, Penelope and Wyeth, Peta},
  journal={Computers in Entertainment (CIE)},
  volume={3},
  number={3},
  pages={3--3},
  year={2005},
  publisher={ACM New York, NY, USA}
}

@article{febretti2009usability,
    author = {Febretti, Alessandro and Garzotto, Franca},
    year = {2009},
    month = {04},
    pages = {4063-4068},
    title = {Usability, playability, and long-term engagement in computer games},
    journal = {CHI '09 Extended Abstracts on Human Factors in Computing Systems},
    doi = {10.1145/1520340.1520618}
}

@article{dahleez2021higher,
  title={Higher education student engagement in times of pandemic: the role of e-learning system usability and teacher behavior},
  author={Dahleez, Khalid Abed and El-Saleh, Ayman A and Al Alawi, Abrar Mohammed and Abdelfattah, Fadi Abdelmuniem},
  journal={International Journal of Educational Management},
  year={2021},
  publisher={Emerald Publishing Limited}
}

@incollection{csikszentmihalyi2014learning,
  title={Learning,“flow,” and happiness},
  author={Csikszentmihalyi, Mihaly},
  booktitle={Applications of flow in human development and education},
  pages={153--172},
  year={2014},
  publisher={Springer}
}

@article{joo2012model,
  title={A model for predicting learning flow and achievement in corporate e-learning},
  author={Joo, Young Ju and Lim, Kyu Yon and Kim, Su Mi},
  journal={Educational Technology \& Society},
  volume={15},
  number={1},
  pages={313},
  year={2012},
  publisher={JSTOR}
}

@article{maybin1992scaffolding,
  title={Scaffolding learning in the classroom},
  author={Maybin, Janet and Mercer, Neil and Stierer, Barry},
  journal={Thinking voices: The work of the national oracy project},
  pages={186--195},
  year={1992},
  publisher={Hodder and Stoughton London}
}

@article{barker2021economic,
  title={The Economic Impact of Laws that Weaken Encryption},
  author={Barker, George Robert and Lehr, William and Loney, Mark and Sicker, Douglas},
  journal={Available at SSRN 3866902},
  year={2021}
}

@article{bliss1996effective,
  title={Effective teaching and learning: Scaffolding revisited},
  author={Bliss, Joan and Askew, Mike and Macrae, Sheila},
  journal={Oxford review of Education},
  volume={22},
  number={1},
  pages={37--61},
  year={1996},
  publisher={Taylor \& Francis}
}

@misc{encryptionmyths,
  title={Breaking Encryption Myths},
  author={Global Encryption Coalition},
  howpublished = "\url{https://www.globalencryption.org/2020/11/breaking-encryption-myths/}",
  note={Last accessed 2021-09-30}
}

@article{carter2013tutoring,
  title={A tutoring system for debugging: status report},
  author={Carter, Elizabeth and Blank, Glenn D},
  journal={Journal of Computing Sciences in Colleges},
  volume={28},
  number={3},
  pages={46--52},
  year={2013},
  publisher={Consortium for Computing Sciences in Colleges}
}

@article{abuel2018intelligent,
  title={An Intelligent Tutoring System for Learning Classical Cryptography Algorithms (CCAITS)},
  author={AbuEl-Reesh, Jihan Y and Abu-Naser, Samy S},
  journal={International Journal of Academic and Applied Research (IJAAR)},
  volume={2},
  number={2},
  year={2018}
}

@article{abu2009evaluating,
  title={Evaluating the effectiveness of the CPP-Tutor, an Intelligent Tutoring System for students learning to program in C++},
  author={Abu-Naser, Samy S},
  year={2009},
  journal={Journal of Applied Sciences Research}
}

@article{mahdi2016intelligent,
  title={An intelligent tutoring system for teaching advanced topics in information security},
  author={Mahdi, Ali O and Alhabbash, Mohammed I and Abu-Naser, Samy S},
  year={2016},
  journal={World Wide Journal of Multidisciplinary Research and Development}
}


@article{mitrovic2003intelligent,
  title={An intelligent SQL tutor on the web},
  author={Mitrovic, Antonija},
  journal={International Journal of Artificial Intelligence in Education},
  volume={13},
  number={2-4},
  pages={173--197},
  year={2003},
  publisher={IOS Press}
}

@article{schiaffino2008eteacher,
  title={eTeacher: Providing personalized assistance to e-learning students},
  author={Schiaffino, Silvia and Garcia, Patricio and Amandi, Analia},
  journal={Computers \& Education},
  volume={51},
  number={4},
  pages={1744--1754},
  year={2008},
  publisher={Elsevier}
}

@inproceedings{alshammari2015design,
  title={Design and usability evaluation of adaptive e-learning systems based on learner knowledge and learning style},
  author={Alshammari, Mohammad and Anane, Rachid and Hendley, Robert J},
  booktitle={IFIP Conference on Human-Computer Interaction},
  pages={584--591},
  year={2015},
  organization={Springer}
}

@inproceedings{graf2006representative,
  title={Representative characteristics of felder-silverman learning styles: An empirical model},
  author={Graf, Sabine and Viola, Silvia Rita and Kinshuk, T Leo},
  booktitle={Proceedings of the IADIS International Conference on Cognition and Exploratory Learning in Digital Age (CELDA 2006), Barcelona, Spain},
  pages={235--242},
  year={2006}
}

@article{felder1988learning,
  title={Learning and teaching styles in engineering education},
  author={Felder, Richard M and Silverman, Linda K and others},
  journal={Engineering education},
  volume={78},
  number={7},
  pages={674--681},
  year={1988},
  publisher={North Carolina}
}

@inproceedings{giannakas2015cyberaware,
  title={CyberAware: A mobile game-based app for cybersecurity education and awareness},
  author={Giannakas, Filippos and Kambourakis, Georgios and Gritzalis, Stefanos},
  booktitle={2015 International Conference on Interactive Mobile Communication Technologies and Learning (IMCL)},
  pages={54--58},
  year={2015},
  organization={IEEE}
}

@article{jin2018evaluation,
  title={Evaluation of game-based learning in cybersecurity education for high school students},
  author={Jin, Ge and Tu, Manghui and Kim, Tae-Hoon and Heffron, Justin and White, Jonathan},
  journal={Journal of Education and Learning (EduLearn)},
  volume={12},
  number={1},
  pages={150--158},
  year={2018}
}

@inproceedings{beckers2016serious,
  title={A serious game for eliciting social engineering security requirements},
  author={Beckers, Kristian and Pape, Sebastian},
  booktitle={2016 IEEE 24th International Requirements Engineering Conference (RE)},
  pages={16--25},
  year={2016},
  organization={IEEE}
}

@article{yasin2018design,
  title={Design and preliminary evaluation of a cyber Security Requirements Education Game (SREG)},
  author={Yasin, Affan and Liu, Lin and Li, Tong and Wang, Jianmin and Zowghi, Didar},
  journal={Information and Software Technology},
  volume={95},
  pages={179--200},
  year={2018},
  publisher={Elsevier}
}

@incollection{pazzani2007content,
  title={Content-based recommendation systems},
  author={Pazzani, Michael J and Billsus, Daniel},
  booktitle={The adaptive web},
  pages={325--341},
  year={2007},
  publisher={Springer}
}

@article{jia2018practical,
  title={A practical approach to constructing a knowledge graph for cybersecurity},
  author={Jia, Yan and Qi, Yulu and Shang, Huaijun and Jiang, Rong and Li, Aiping},
  journal={Engineering},
  volume={4},
  number={1},
  pages={53--60},
  year={2018},
  publisher={Elsevier}
}

@inproceedings{kang2013security,
  title={A security ontology with MDA for software development},
  author={Kang, Wentao and Liang, Ying},
  booktitle={2013 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery},
  pages={67--74},
  year={2013},
  organization={IEEE}
}

@book{bolton1976handbook,
  title={Handbook of measurement and evaluation in rehabilitation.},
  author={Bolton, Brian Ed},
  year={1976},
  publisher={University Park Press}
}

@article{moeyaert2016easy,
  title={When easy becomes boring and difficult becomes frustrating: disentangling the effects of item difficulty level and person proficiency on learning and motivation},
  author={Moeyaert, Mariola and Wauters, Kelly and Desmet, Piet and Van den Noortgate, Wim},
  journal={Systems},
  volume={4},
  number={1},
  pages={14},
  year={2016},
  publisher={Multidisciplinary Digital Publishing Institute}
}

@inproceedings{baker1999development,
  title={The development of a common enumeration of vulnerabilities and exposures},
  author={Baker, David W and Christey, Steven M and Hill, William H and Mann, David E},
  booktitle={Recent Advances in Intrusion Detection},
  volume={7},
  pages={9},
  year={1999}
}

@article{mcgraw2004software,
  title={Software security},
  author={McGraw, Gary},
  journal={IEEE Security \& Privacy},
  volume={2},
  number={2},
  pages={80--83},
  year={2004},
  publisher={IEEE}
}

@book{wittig2018amazon,
  title={Amazon web services in action},
  author={Wittig, Michael and Wittig, Andreas},
  year={2018},
  publisher={Simon and Schuster}
}

@article{chen2005personalized,
  title={Personalized e-learning system using item response theory},
  author={Chen, Chih-Ming and Lee, Hahn-Ming and Chen, Ya-Hui},
  journal={Computers \& Education},
  volume={44},
  number={3},
  pages={237--255},
  year={2005},
  publisher={Elsevier}
}

@article{yarandi2011personalised,
  title={Personalised mobile learning system based on item response theory},
  author={Yarandi, Maryam and Jahankhani, Hamid and Dastbaz, Mohammad and Tawil, Abdel-Rahman},
  journal={Advances in Computing and Technology},
  year={2011}
}

@article{khanal2020systematic,
  title={A systematic review: machine learning based recommendation systems for e-learning},
  author={Khanal, Shristi Shakya and Prasad, PWC and Alsadoon, Abeer and Maag, Angelika},
  journal={Education and Information Technologies},
  volume={25},
  number={4},
  pages={2635--2664},
  year={2020},
  publisher={Springer}
}

@book{elo1978rating,
  title={The rating of chessplayers, past and present},
  author={Elo, Arpad E},
  year={1978},
  publisher={Arco Pub.}
}

@article{elo2008logistic,
  title={Logistic probability as a rating basis},
  author={Elo, Arpad E},
  journal={The Rating of Chessplayers, Past\&Present. Bronx NY},
  volume={10453},
  year={2008}
}

@article{wise2021elo,
  title={Elo Ratings for Large Tournaments of Software Agents in Asymmetric Games},
  author={Wise, Ben},
  journal={arXiv preprint arXiv:2105.00839},
  year={2021}
}

@article{copilot2021,
  author    = {Hammond Pearce and
               Baleegh Ahmad and
               Benjamin Tan and
               Brendan Dolan{-}Gavitt and
               Ramesh Karri},
  title     = {An Empirical Cybersecurity Evaluation of GitHub Copilot's Code Contributions},
  journal   = {CoRR},
  volume    = {abs/2108.09293},
  year      = {2021},
  url       = {https://arxiv.org/abs/2108.09293},
  eprinttype = {arXiv},
  eprint    = {2108.09293},
  timestamp = {Mon, 23 Aug 2021 14:07:13 +0200},
  biburl    = {https://dblp.org/rec/journals/corr/abs-2108-09293.bib},
  bibsource = {dblp computer science bibliography, https://dblp.org}
}

@article{sampaio2016exploring,
  title={Exploring context-sensitive data flow analysis for early vulnerability detection},
  author={Sampaio, Luciano and Garcia, Alessandro},
  journal={Journal of Systems and Software},
  volume={113},
  pages={337--361},
  year={2016},
  publisher={Elsevier}
}

@inproceedings{votipka2020understanding,
  title={Understanding security mistakes developers make: Qualitative analysis from build it, break it, fix it},
  author={Votipka, Daniel and Fulton, Kelsey R and Parker, James and Hou, Matthew and Mazurek, Michelle L and Hicks, Michael},
  booktitle={29th $\{$USENIX$\}$ Security Symposium ($\{$USENIX$\}$ Security 20)},
  pages={109--126},
  year={2020}
}


@misc{nist-enhancing,
    author = "{NIST}",
    title  = "{Enhancing Software Supply Chain Security}",
    howpublished = "\url{https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/enhancing-software-supply-chain-security}", 
    note   = "(Archived) Last accessed 2021-11-14",
}

@misc{patent-publication,
    author = "{De Cremer, Pieter and Desmet, Nathan and Madou, Matias and Wong, Colin}",
    title  = "{Method and system for adaptive security guidance}",
    howpublished = "\url{https://patents.google.com/patent/US20200211135A1/en}", 
    note   = "US20200211135A1",
}

@article{de2020sensei,
  title={Sensei: Enforcing secure coding guidelines in the integrated development environment},
  author={De Cremer, Pieter and Desmet, Nathan and Madou, Matias De Sutter, Bjorn},
  journal={Software: Practice and Experience},
  volume={50},
  number={9},
  pages={1682--1718},
  year={2020},
  publisher={Wiley Online Library}
}

@InProceedings{software-delivery-performance,
author="Sallin, Marc
and Kropp, Martin
and Anslow, Craig
and Quilty, James W.
and Meier, Andreas",
editor="Gregory, Peggy
and Lassenius, Casper
and Wang, Xiaofeng
and Kruchten, Philippe",
title="Measuring Software Delivery Performance Using the Four Key Metrics of DevOps",
booktitle="Agile Processes in Software Engineering and Extreme Programming",
year="2021",
publisher="Springer International Publishing",
address="Cham",
pages="103--119",
abstract="The Four Key Metrics of DevOps have become very popular for measuring IT-performance and DevOps adoption. However, the measurement of the four metrics deployment frequency, lead time for change, time to restore service and change failure rate is often done manually and through surveys - with only few data points. In this work we evaluated how the Four Key Metrics can be measured automatically and developed a prototype for the automatic measurement of the Four Key Metrics. We then evaluated if the measurement is valuable for practitioners in a company. The analysis shows that the chosen measurement approach is both suitable and the results valuable for the team with respect to measuring and improving the software delivery performance.",
isbn="978-3-030-78098-2"
}

@inproceedings{ben2015factors,
  title={Factors impacting the effort required to fix security vulnerabilities},
  author={ben Othmane, Lotfi and Chehrazi, Golriz and Bodden, Eric and Tsalovski, Petar and Brucker, Achim D and Miseldine, Philip},
  booktitle={International Conference on Information Security},
  pages={102--119},
  year={2015},
  organization={Springer}
}

@article{sdlc-cost,
author = {Dawson, Maurice and Burrell, Darrell and Rahim, Emad and Brewster, Stephen},
year = {2010},
month = {01},
pages = {49-53},
title = {Integrating Software Assurance into the Software Development Life Cycle (SDLC)},
volume = {3},
journal = {Journal of Information Systems Technology and Planning}
}