A set of courses for teaching secure software development

A good percentage of the software deployed in industrial/commercial applications is of poor quality, it is unnecessarily complex, and contains numerous flaws that can be exploited by attackers. Every day the press reports of attacks to web sites or databases around the world, resulting in millions of dollars in direct or indirect losses. This situation does not appear to improve. There are several reasons for this situation, including the pressure to bring products to the market quickly, the complexity of modern software, the lack of knowledge about security of most developers, and others. Until recently the only vendors' response to problems of security was to provide patches to fix the latest vulnerability found. However, patches are clearly not the best solution: it is hard for system administrators to keep up with the latest patches and the patch itself may open new possibilities for attack. There are two basic approaches to improve application security: 1) examine final production code and look for possible problems, e.g., buffer overflow conditions [How03] or 2) plan for security from the beginning. We believe that the solution lies in developing secure software from the beginning, applying security principles along the whole lifecycle. As indicated, a good part of the problem is that developers are not, in general, acquainted with security development methods. We see the use of patterns as a fundamental way, even for developers with little experience, to implicitly apply security principles.