1. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP Education Working Session Notes - Ideas Nov 05, 2008

2. OWASP Guidelines  Structure materials existing (mostly technical)  Create non-existent (mostly non-technical) 2

3. OWASP  Goal – Knowledge transfer from OWASP projects towards the community  Ideas  PR project in sync with education  Increase awareness of OWASP among C-level executives  Guide to the Guides (Executive Summary)  Textbooks – focus on the learner not the trainer  How-To’s / OWASP for dummies / digital editions  Participate in development, CSO conferences  Flash demonstrations of the Top 10 / Youtube  Synergy with LiveCD  Training by target audience and by role  Videos for WebGoat exploits in action:  http://yehg.net/lab/pr0js/training/webgoat.php 3

4. OWASP  Role based training  Material (Y-axis) & Role (X-axis) exercise  3 Roles – Managers + Analysts, Architects + Developers, Security Auditors + QA (testers)  Student Roles  Should be Novice level  Six month or Year long process  Should they be evaluated at the end?  Canned guest lectures 4

5. OWASP  Where to focus? (ideas)  Focus on the do-ers, focus on students secondarily  Educate the educators (force-multiplier)  Vote: Generally agreed to focus on educating the doers with regard to three roles  Boot camp  Some difficulty with the various quality levels between existing materials  Problems with revisioning and sharing (google docs solution maybe)  Should be broad scope of topics (covered lightly) with deeper references to more OWASP materials/resources  Ask projects to provide boot camp materials for their projects and target audience  Pick an OWASP conference and reserve a slot for the OWASP Boot Camp (Washington DC in 2009 as suggested by Rex Booth) 5

6. OWASP  Structure of training materials  Powerpoints with slide notes (there’s an Education Project guideline about this)  There must be slide notes  Can do recordings of presentation and transcribe the notes for completeness  Updated “intro to OWASP” deck  Something small that introduces people to OWASP, resources, projects, etc.  Coordinated way to contact speakers  Linked to OWASP on the Move 6

7. OWASP Winter of Code possibility  Map content to target audience and roles 7

8. OWASP 8 Ideas to consider for implementation  Allow people to train themselves  Live CD Integration  Assists Universities/Academia and High School  Corporate (non-tech professionals)  Complement internal training programs