2026 ASEE Annual Conference & Exposition

J-WAVE: A Java Web Application for Vulnerability Education

Presented at CIT Technical Session 7: Cybersecurity Education and Practice

Static application security testing (SAST) tools are commonly used by professionals to identify security vulnerabilities before deployment. While such tools are indispensable in industry, their fragmented ecosystems and complex configuration requirements often preclude their effective use in an educational context. This paper presents J-WAVE (the Java Web Application for Vulnerability Education), a unified web-based framework that encapsulates five industry-standard SAST tools: PMD, FindSecurityBugs, Semgrep, Yasca, and SonarQube. By internalizing tool configuration and providing a scalable REST API capable of processing batch submissions, J-WAVE transforms reactive testing into a proactive pedagogical instrument. J-WAVE offers simplicity to users by handling each tool’s setup internally, while offering access to the large, collective rule set contributed by the combined tool suite. Students can scan their own projects easily, while educators can scan many submissions in batch. This paper reports on experiences from applying J-WAVE’s tool suite to student submissions in two courses: an advanced data structures course, and a web application development course. Our findings reveal that the integrated tools are highly complementary and that detection efficacy is optimized by tailoring tool prioritization to specific project domains—emphasizing code quality scanners for general applications and vulnerability-focused tools for web environments. This work enables integrating robust, multi-tool security audits into the computer science curriculum.

Authors

Michael Alexander Kyer Virginia Polytechnic Institute and State University
Prof. Stephen H Edwards http://orcid.org/https://0000-0002-5162-9314 Virginia Polytechnic Institute and State University [biography]

Stephen H. Edwards is a Professor and the Associate Department Head for Undergraduate Studies in the Department of Computer Science at Virginia Tech, where he has been teaching since 1996. He received his B.S. in electrical engineering from Caltech, and M.S. and Ph.D. in computer and information science from The Ohio State University. His research interests include computer science education, software testing, software engineering, and programming languages. He is the project lead for Web-CAT, the most widely used open-source automated grading system in the world. Web-CAT is known for allowing instructors to grade students based on how well they test their own code. In addition, his research group has produced a number of other open-source tools used in classrooms at many other institutions. Currently, he is researching innovative methods for giving feedback to students as they work on assignments to provide a more welcoming experience for students, recognizing the effort they put in and the accomplishments they make as they work on solutions. The goals of his research are to strengthen growth mindset beliefs while encouraging deliberate practice, self-checking, and skill improvement as students work.
Dr. Bob Edmison Virginia Polytechnic Institute and State University [biography]

Dr. Edmison is a Collegiate Associate Professor in the Department of Computer Science at Virginia Tech. His research focuses on alternative grading practices, accessibility, and the tools to support them.

Note

The full paper will be available to logged in and registered conference attendees once the conference starts on June 21, 2026, and to all visitors after the conference ends on June 24, 2026

« View session

For those interested in:

computer science
information technology
undergraduate