Effective Security Education and Related OWASP Initiatives Sandeep S. Nain snain@appsecure.com @nainsandeep

type here level of Sensitivity "Unrestricted", Internal Use Only" or "Confidential" 2017/3/52017/3/52017/3/52017/3/52017/3/52017/3/52017/3/52017/3/5 Who am I? Sandeep Nain Managing Partner, Appsecure Chapter Leader, OWASP Melbourne Ex-Developer Love talking about Motor Bikes, Movies and Application security

Why am I here? Importance of security education Current state of security education Getting maximum benefit from education programs A recent paper by yours truly How OWASP can help?

Importance of security education

“Must haves” of a good training What type of trainings? Role based Development Managers, Developers, QA Teams Methodical Systematic Basics → Intermediate → Advanced Engaging One size fits all – doesn't work Understand the organization's culture and skill level Customize as required Add internal policies and processes where possible

Current Delivery Methods Instructor Led Trainings Class room style 15-20 : 1 Duration 1 Day to 5 Days Computer Based Trainings Modularized 30 minutes to few hours

Is this working? Substantial number of vulnerabilities are being found during assessments Companies are still being breached by exploiting common flaws Sony, Heartland Payment Systems Which Means... Developers are still writing vulnerable code

It is NOT working... Most of what is being taught in these education programs doesn’t get applied

In the language of Business Its all about money Investment vs. Return (ROI) Minimal ROI

Attendees or Training Approach Its NOT working... Where is the problem? Attendees or Training Approach

It is the Training Approach - IMHO

Analysis - Instructor Led Trainings Facts Multiple days duration 15-20 key project members confined for multiple days But, Tight project deadlines Difficult to organize Continuous external distractions Urgent emails, production issues, scheduled project meetings

Analysis - Instructor Led Trainings Facts Multiple topics clubbed together – Basics to Advanced Overwhelming Information gathered over years transferred in hours But, Test of human mind's ability Difficult to grasp and retain No time to try, test and read further Attendees loose interest time to time

Analysis - Computer Based Trainings Expectations Expected to be cost effective Expected to overcome the issues of ILT Facts Monotonous voice Non engaging No practical Little information on advanced topics So Trainees loose interest Poor learning experience

Confirmation Small survey 7 Organizations Banking, Software vendors, Government 130 developers Results 93% agreed with the points raised Verdict Current training approach provide minimal ROI

So – What do we do? Go back to basics Why students learn more at universities and colleges? Analyze and improvise traditional methods of training Apply to professional trainings

The Solution – The Re-Birth of Lectures Information Security Lectures Break down the monolithic training courses Small chunks of 1.5 to 2.5 hours

Is it that straight forward? Every lecture MUST be self contained One topic per lecture Or, multiple CLOSELY related small topics Principles of secure architecture and design Must be an engaging experience for attendees Hands on, Trivia Sufficient gap between two lectures One lecture per week Enough time to learn further, try and apply Project members may only attend the lectures directly related to their role

Benefits of this Approach Easy to organize Negligible impact on project commitments Easy management buy-in Easily accepted by development staff Better learning experience Attendees are more focused Highly likely to grasp, retain and try Highly cost effective People only attend the sessions they actually need to Company only has to pay for 2 hours and not 2 days

In short, Highly likely - Reduction of security bugs Stronger backbone - in terms of security Significant increase in ROI from education programs

Related OWASP Projects

OWASP Education Projects OWASP Appsec Tutorial Project OWASP Education Project OWASP CBT Project

OWASP Appsec Tutorial Project Project Leader – Jerry Hoff What is it? New project High quality content Small video based training materials Goals Convey complex application security topics in a fun and informative way Where https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series

OWASP Appsec Tutorial Project Available Tutorials Introduction Injection Attacks Cross site scripting

OWASP Education Project Project Leader – Martin Knobloch What is it? Large collection of application security resources from several industry experts Slide decks, papers, videos and audios Free to use for non-commercial purposes Where https://www.owasp.org/index.php/Category:OWASP_Education_Project

OWASP Education Project Resources What developers should know (Application security for developers) Application security 101 OWASP Top 10 Secure coding best practices Secure SDL implementation OWASP ASVS (training slides on secure coding) OWASP Safe Browsing and many more...

OWASP CBT Project Project Leader – Nishi Kumar What is it? Computer based training on important application security topics Project Status 3 courses available OWASP Top 10 - 2007 Compliance (PCI) Vulnerability scanning using W3AF Where https://www.owasp.org/index.php/Category:OWASP_CBT_Project

Subscribe mailing list www.owasp.org Keep up to date! 28

Want to support OWASP? Become member, annual donation of: $50 Individual $5000 Corporate enables the support of OWASP projects, mailing lists, conferences, podcasts, grants and global steering activities… 29