1. Effective Security Education and Related OWASP Initiatives
Sandeep S. Nain
@nainsandeep

2. type here level of Sensitivity "Unrestricted", Internal Use Only" or "Confidential"
2017/3/52017/3/52017/3/52017/3/52017/3/52017/3/52017/3/52017/3/5
Who am I?
Sandeep Nain
Managing Partner, Appsecure
Chapter Leader, OWASP Melbourne
Ex-Developer
Love talking about
Motor Bikes, Movies and Application security

3. Why am I here? Importance of security education
Current state of security education
Getting maximum benefit from education programs
A recent paper by yours truly
How OWASP can help?

4. Importance of security education

5. “Must haves” of a good training
What type of trainings?
Role based
Development Managers, Developers, QA Teams
Methodical
Systematic
Basics → Intermediate → Advanced
Engaging
One size fits all – doesn't work
Understand the organization's culture and skill level
Customize as required
Add internal policies and processes where possible

6. Current Delivery Methods
Instructor Led Trainings
Class room style
15-20 : 1
Duration 1 Day to 5 Days
Computer Based Trainings
Modularized
30 minutes to few hours

7. Is this working?
Substantial number of vulnerabilities are being found during assessments
Companies are still being breached by exploiting common flaws
Sony, Heartland Payment Systems
Which Means... Developers are still writing vulnerable code

8. It is NOT working...
Most of what is being taught in these education programs doesn’t get applied

9. In the language of Business
Its all about money
Investment vs. Return (ROI)
Minimal ROI

10. Attendees or Training Approach
Its NOT working...
Where is the problem?
Attendees or Training Approach

11. It is the Training Approach - IMHO

12. Analysis - Instructor Led Trainings
Facts
Multiple days duration
15-20 key project members confined for multiple days
But,
Tight project deadlines
Difficult to organize
Continuous external distractions
Urgent s, production issues, scheduled project meetings

13. Analysis - Instructor Led Trainings
Facts
Multiple topics clubbed together – Basics to Advanced
Overwhelming
Information gathered over years transferred in hours
But,
Test of human mind's ability
Difficult to grasp and retain
No time to try, test and read further
Attendees loose interest time to time

14. Analysis - Computer Based Trainings
Expectations
Expected to be cost effective
Expected to overcome the issues of ILT
Facts
Monotonous voice
Non engaging
No practical
Little information on advanced topics So
Trainees loose interest
Poor learning experience

15. Confirmation Small survey 7 Organizations
Banking, Software vendors, Government
130 developers
Results
93% agreed with the points raised
Verdict
Current training approach provide minimal ROI

16. So – What do we do? Go back to basics
Why students learn more at universities and colleges?
Analyze and improvise traditional methods of training
Apply to professional trainings

17. The Solution – The Re-Birth of Lectures
Information Security Lectures
Break down the monolithic training courses
Small chunks of 1.5 to 2.5 hours

18. Is it that straight forward?
Every lecture MUST be self contained
One topic per lecture
Or, multiple CLOSELY related small topics
Principles of secure architecture and design
Must be an engaging experience for attendees
Hands on, Trivia
Sufficient gap between two lectures
One lecture per week
Enough time to learn further, try and apply
Project members may only attend the lectures directly related to their role

19. Benefits of this Approach
Easy to organize
Negligible impact on project commitments
Easy management buy-in
Easily accepted by development staff
Better learning experience
Attendees are more focused
Highly likely to grasp, retain and try
Highly cost effective
People only attend the sessions they actually need to
Company only has to pay for 2 hours and not 2 days

20. In short, Highly likely - Reduction of security bugs
Stronger backbone - in terms of security
Significant increase in ROI from education programs

21. Related OWASP Projects

22. OWASP Education Projects
OWASP Appsec Tutorial Project
OWASP Education Project
OWASP CBT Project

23. OWASP Appsec Tutorial Project
Project Leader – Jerry Hoff
What is it?
New project
High quality content
Small video based training materials
Goals
Convey complex application security topics in a fun and informative way
Where

24. OWASP Appsec Tutorial Project
Available Tutorials
Introduction
Injection Attacks
Cross site scripting

25. OWASP Education Project
Project Leader – Martin Knobloch
What is it?
Large collection of application security resources from several industry experts
Slide decks, papers, videos and audios
Free to use for non-commercial purposes
Where

26. OWASP Education Project
Resources
What developers should know (Application security for developers)
Application security 101
OWASP Top 10
Secure coding best practices
Secure SDL implementation
OWASP ASVS (training slides on secure coding)
OWASP Safe Browsing
and many more...

27. OWASP CBT Project Project Leader – Nishi Kumar What is it?
Computer based training on important application security topics
Project Status
3 courses available
OWASP Top
Compliance (PCI)
Vulnerability scanning using W3AF
Where

28. Subscribe mailing list
Keep up to date! 28

29. Want to support OWASP? Become member, annual donation of:
$50 Individual
$5000 Corporate
enables the support of OWASP projects, mailing lists, conferences, podcasts, grants and global steering activities… 29