Abstract
Vulnerable software is one of the main challenges the IT industry faces today. According to Symantec's Internet Security Threat Report,1 of the 2,461 security vulnerabilities discovered in the first half of 2007, more than 60 percent related to Web applications. To build better and more secure applications, developers need security knowledge. Until very recently, hardly any universities focused on teaching students how to build secure software—and many still don't. It's possible for a student to complete an education as a software engineer without learning anything about how to build secure systems.
At the Norwegian University of Science and Technology, we've offered a course on software security for two years now (fall 2006 and 2007). We developed this popular course in close cooperation with SINTEF, a Norwegian research foundation closely tied to the university. In both years, we had more than 60 students, which is rather high for an elective class. Approximately 150 to 200 students are eligible to take the class, and they can choose from 15 to 20 different classes.
Here, we present our experiences in teaching the course. Because software security is a relatively new course topic, there isn't much previous experience to review when developing such a curriculum. So, we focus on our class exercises, which have been crucial to the course. We hope our experiences provide valuable input to others and start an ongoing discussion on how best to teach software security.
At the Norwegian University of Science and Technology, we've offered a course on software security for two years now (fall 2006 and 2007). We developed this popular course in close cooperation with SINTEF, a Norwegian research foundation closely tied to the university. In both years, we had more than 60 students, which is rather high for an elective class. Approximately 150 to 200 students are eligible to take the class, and they can choose from 15 to 20 different classes.
Here, we present our experiences in teaching the course. Because software security is a relatively new course topic, there isn't much previous experience to review when developing such a curriculum. So, we focus on our class exercises, which have been crucial to the course. We hope our experiences provide valuable input to others and start an ongoing discussion on how best to teach software security.