[Owasp-leaders] Any good appsec workshop exercises for non technical audiences?

Bjoern Kimminich bjoern.kimminich at owasp.org
Tue Dec 12 15:36:18 UTC 2017


Hi Antonio,

I'm irregularly doing 45-60min awareness sessions with IT managers at my
employer, using the following slides:
http://webappsec-nutshell.kimminich.de/management-edition.html

In parallel I have an OWASP Juice Shop running with a custom theme that
makes it look like one of my employer's applications. Look&feel, products
etc. all tailored for that warm "this looks familiar..."-feeling.

I typically start with a 10min "happy shopper" walk through the application
to show that it actually works like it should if you use it "normally".
Then I do the slides, and for all topics presented I do a demo, e.g. SQL
Injection to log in and also to steal all user data. XSS in Search field as
well as some more sophisticated demo with keylogging and dancing HTML
elements: https://www.youtube.com/watch?v=L7ZEMWRm7LA. And so on, and so
forth.

Feedback so far was very positive, especially since I'm using the Juice
Shop with a matching custom theme. Docs how to do this you find here:
https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part1/customization.html

Maybe that's something you can build on. There's certainly enough in the
Juice Shop to occupy a group for a half-day session... ;-)

Cheers,
Björn

On Tue, Dec 12, 2017 at 2:18 PM, Andy Lewis <alewis at owasp.org> wrote:

> Hello Antonio - 30 minutes is probably just enough time to get through a
> good background story followed by some very simple exercises.
> My inclination would be to do something very, very simple in a context
> meaningful to them.  Insecure direct object references and URL substitution
> (broken auth & session management)  come to mind. No tools required, just
> tell the story of a very large bank that allowed access to any account
> using simple URL substitution and let them login to a site, save the URL,
> and have their buddies access it w/out authentication.  Then change the URL
> and access somebody else's objects without auth.
>
> Part of the point of this is that no technical savvy is required and the
> "only" effective countermeasure is secure coding practices.  They could
> spend all day on the exhibit floor at RSA and not find a single vendor who
> could solve this problem outside of Developer Education (although many
> might say they could).  Another point is that if it can happen to a massive
> international bank with all their resources, it could most certainly happen
> to anyone.
>
> HTH.  Please PM me if you want to get into the weeds,
> Andy
>
> On Mon, Dec 11, 2017 at 4:11 PM, Antonio Fontes - OWASP <
> antonio.fontes at owasp.org> wrote:
>
>> Hello fellow Leaders,
>>
>> I am setting up a half-day internal introduction/workshop to a small
>> group of project managers involved in web projects.
>>
>> While I have a good view on what I will show them in terms of content and
>> topics, I'm having some difficulty in finding an exercise they could do
>> after the "slides" part and, which would not require technical skills (they
>> are definitely not versed in terms of appsec/web dev).
>>
>> Two main questions:
>> 1) have some of you included hands-on/exercises in appsec awareness
>> sessions when there are no technical people in the audience (not technical
>> meaning not showing source code, no asking to perform attacks on websites
>> and no threat modeling)? Should exercises be avoided with high level
>> audiences? Any experiences you would be willing to share? Or would you
>> recommend sticking to "presenter" mode?
>> (P.S. i have a 30-45 minutes "budget")
>>
>> 2) If you have exercises to recommended (or to avoid) please feel more
>> than welcome to share!
>>
>> Cheers,
>> Antonio
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20171212/668f1a02/attachment.html>


More information about the OWASP-Leaders mailing list