Security testing in software engineering courses

Writing secure code is at the heart of computing security. Unfortunately traditional software engineering textbooks failed to provide adequate methods and techniques for students and software engineers to bring security engineering approaches to software development process generating secure software as well as correct software. This paper argues that a security testing phase should be added to software development process with systematic approach to generating and conducting destructive security test sets following a complete coverage principle. Software engineers must have formal training on writing secure code. The security testing tasks include penetrating and destructive tests that are different from functional testing tasks currently covered in software engineering textbooks. Systematic security testing approaches should be seamlessly incorporated into software engineering curricula and software development process. Moreover, component-based development and formal methods could be useful to produce secure code, as well as automatic security checking tools. Some experience of applying security testing principles in our software engineering course teaching is reported.