[Owasp-leaders] Any good appsec workshop exercises for non technical audiences?

Andy Lewis alewis at owasp.org
Tue Dec 12 13:18:29 UTC 2017

Hello Antonio - 30 minutes is probably just enough time to get through a
good background story followed by some very simple exercises.
My inclination would be to do something very, very simple in a context
meaningful to them.  Insecure direct object references and URL substitution
(broken auth & session management)  come to mind. No tools required, just
tell the story of a very large bank that allowed access to any account
using simple URL substitution and let them login to a site, save the URL,
and have their buddies access it w/out authentication.  Then change the URL
and access somebody else's objects without auth.

Part of the point of this is that no technical savvy is required and the
"only" effective countermeasure is secure coding practices.  They could
spend all day on the exhibit floor at RSA and not find a single vendor who
could solve this problem outside of Developer Education (although many
might say they could).  Another point is that if it can happen to a massive
international bank with all their resources, it could most certainly happen
to anyone.

HTH.  Please PM me if you want to get into the weeds,

On Mon, Dec 11, 2017 at 4:11 PM, Antonio Fontes - OWASP <
antonio.fontes at owasp.org> wrote:

> Hello fellow Leaders,
> I am setting up a half-day internal introduction/workshop to a small group
> of project managers involved in web projects.
> While I have a good view on what I will show them in terms of content and
> topics, I'm having some difficulty in finding an exercise they could do
> after the "slides" part and, which would not require technical skills (they
> are definitely not versed in terms of appsec/web dev).
> Two main questions:
> 1) have some of you included hands-on/exercises in appsec awareness
> sessions when there are no technical people in the audience (not technical
> meaning not showing source code, no asking to perform attacks on websites
> and no threat modeling)? Should exercises be avoided with high level
> audiences? Any experiences you would be willing to share? Or would you
> recommend sticking to "presenter" mode?
> (P.S. i have a 30-45 minutes "budget")
> 2) If you have exercises to recommended (or to avoid) please feel more
> than welcome to share!
> Cheers,
> Antonio
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20171212/04e95dd7/attachment.html>

More information about the OWASP-Leaders mailing list