[Owasp-leaders] Free training at major OWASP AppSec conferences

Sarah Baso sarah.baso at owasp.org
Tue Mar 25 17:10:57 UTC 2014

Thanks Simon -

Here are my thoughts:

I definitely agree that we should do and need to do free training as part
of spreading our mission and educating the community.  The critical piece
of this is setting some basic ground rules (operational framework) to make
this scalable and sustainable.

The staff discussed this at our recent staff summit and here are the
proposed ground rules:

   1. *Basic principals:*  use local and free when possible, non
   proprietary training materials, open call for training, try not to compete
   with paid training at global appsecs
   2. Free training outside of global appsec conferences - not too many
   restrictions, but best to find a way to do these as a low overhead cost to
   OWASP.  Venues cost money, flying in trainers costs money... but if we try
   to find free venues and local (or at least regional trainers) that are
   using open source training slides (so not necessarily developed by them),
   THIS is a scalable model.  We could even find sponsorship opportunities for
   these the way we do for local chapter meetings.
   3. Free training at global appsec conferences - ok, but should not run
   in direct competition to paid training.  We don't need a case study to say
   if there is a free training and a paid training, people will sign up for
   the free training instead of the paid (wouldn't you)?  What I proposed is
   that free training at conference be in the evening of the training days or
   during the conference days (or the day after as fine) but NOT indirect
   parallel to the paid training.  Also, I suggest looking at a comparison
   between topics and time frame of the paid courses vs the free course(s).  A
   free training that is for beginners/intro that lasts 4 hours likely will
   not complete with a 2 day hands-on, advanced security course.
   4. I strongly advise (and when it is a global event this should be
   policy) that free training is done through a call for training like we do
   paid training,  this opens up the opportunity to anyone that is willing to
   do the training and not just those who we know might be willing.  I think
   this will also encourage more people to be engaged in OWASP free training.
    Finally, this will avoid giving preference to board members or any one
   vendor (no criticism here, just think that this open policy is preferred).

I don't know that we need a survey as much as setting a basic framework for
this and then seeing how it goes.  That said, i am good with a straw poll,
but am interested to see how it would be phrased without vastly
oversimplifying the issues and variables.



On Tue, Mar 25, 2014 at 10:05 AM, psiinon <psiinon at gmail.com> wrote:

> Leaders,
> There has been a discussion on the AppSec EU 2014 list regarding the pros
> and cons of giving free training at major OWASP AppSec conferences.
> A _very_ quick summary: Free training is a great way to get our message
> across, but can (and it is claimed does) eat into our revenue, which will
> therefore limit what else we can achieve.
> A poll was suggested, but it has been pointed out that this might be
> counterproductive without a more detailed discussion regarding the full
> impact this sort of free training could have.
> I can understand that, but I would really like to hear the communities
> views on this.
> I hope thats not too biased an introduction (I'm sure my views will become
> apparent soon;) and that it is enough to get the discussion started...
> Cheers,
> Simon
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

Executive Director
OWASP Foundation

sarah.baso at owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140325/65c60b38/attachment.html>

More information about the OWASP-Leaders mailing list