Attack Patterns can be used in education in order to teach students how applications
are attacked, and what kinds of techniques they will need to employ in order to
prevent their applications from being vulnerable to those kinds of attacks.
Attack Patterns provide a clear, concise mechanism to present this topic to students.
Software Security, and IT Security in general is a topic that is still suffering
in the global education system. While some universities are beginning to teach IT
Security in their IT based courses, Software security is still largely overlooked.
Recent reports from Gartner and other organisations have placed application layer
attacks at or above 80%. Clearly, our education system has to focus on protecting
the application layer.
Attack Patterns provide a mechanism by which students can be introduced to the attack
and its mitigation together. This provides a link between the two that the student
can focus on, and use in their projects and future development efforts.
Since APs link the attack, the mitigation, the testing strategy and reference material
in one unit, students will have a wealth of information in a centralised location.
This is a tool that they can used to learn defensive security practices alongside
their normal development techniques.
For courses focused on application security APs provide a focal point in how to
develop and organise information on the software security landscape.
Teaching students to use APs in IT operations environments provides them with a
consistent and structured way to deal with an ever-changing environment.
It can arm them with the techniques they need to quickly evaluate, categorise and
deal with new attacks and problems in the future.
Attack Patterns should be blended with risk management and risk assessment techniques.
In the past we have not had a clear way to categorise and assess the risk associated with how applications may be attacked. Determining if a system is susceptible to an attack
has been subjectively based on the knowledge of the individual performing the risk
assessment. With Attack Patterns we are able to provide a clear understanding
of how the attack works and how it might affect the system under assessment.
This removes the guesswork and subjectivity involved in determining if a particular
attack applies to the system.
One of the potential reasons that security is often not covered in the depth required
is that it has never been easy to quantify and give to students in a manner that
was measurable. Attack Patterns, their creation and use can be sued as
a measure of understanding in a student. It is a quantifiable way of determining if a student
can apply proper security techniques to their projects.
APs can be incorporated into courses in development methodologies, software architecture,
practical coding techniques, and testing techniques. They can be taught as
part of any corporation’s or educational institution’s normal development practices.
[14] This is also essential in normal training for testers in the development teams.
[16]