El que lee mucho y anda mucho, ve mucho y sabe mucho.
(The one who reads a lot and goes around a lot, sees much and knows much.)
Miguel de Cervantes, El ingenioso hidalgo don Quijote de la Mancha
I started working on security when I joined IBM, where I worked for almost nine years doing security research. I coauthored a book on database security while there, one of the first to appear on this topic. I later realized that a large amount of security knowledge was wasted, because practitioners had not read the variety of books and papers that had started to appear; they kept repeating the same mistakes. In particular, software developers knew little about security. Later I participated in a conference about patterns and realized that expressing security knowledge as patterns could be an effective way to spread this knowledge. Around that time, Yoder and Barcalow [Yod97] published a paper about expressing security solutions as patterns that further convinced me that this was a good direction. I found later that security patterns could do more than propagate security knowledge to inexperienced developers; they could also be useful for security experts, to help them apply security in a systematic way to build new applications or products, understand complex standards, audit complex applications and reengineer legacy systems. I was coauthor of a book that published most of the security patterns known up to 2005. However, since that book was published, many more patterns have appeared. ...