[Owasp_cornucopia] Experience of my First Use with Development leads

Ferris, Ken ken.ferris at travelex.com
Tue Jun 25 10:38:32 UTC 2013

None of this is very scientific but I thought it might help to share my experience of using card deck for training.
Printed the cards and sat down 3 senior development leads

Brief I gave them was

*         We play a hand of cards

*         See who wins

*         Then discuss what is on the cards (I left it to them to ask questions rather than read aloud )

A Question I could not answer was, are the vulnerabilities ranked by the number on the card, for the few I looked at I thought so e.g. 'you have invented a new attack against Cryptography' = Ace

Card game wise we played a version of '21' which reduces the number of cards to be discussed at the end of each round, that worked well however...
Wondering, what card games others have used and did it effect how effectively folk learn ...

Is the number of cards in a hand significant in relation to how effectively you learn? Maybe not?

With a security person in the room to answer questions and deal with further questions as the players elaborate on the real world issues, they currently face,
I see this as an effective security training tool, I know the guidance and explanations are on the cards so it would work without a security person 'mentoring the game' but it is hard to tell how efficient this would be
(Long term I would like to embed this in the development process, I am looking for maximum knowledge in a little time as possible, hopefully the training is built into Sprints via the sprint planning meeting, using the suites relevant to the Sprint ).

At the start of the game, as suggested, I selected the 'suits' most relevant to the work the teams were working on.
As we worked our way through the deck we discarded the cards which we had already read and continued our way through the deck, eventually we ran out of cards and grabbed the 2 suits which we had discarded.

So 4 people 1.5 hour whole deck.
Obviously we only discussed a few of the cards as a group.
As part of a wider security training programme I think this works. It definitely stimulated debate (at times quite lively)
Yes there were times that people were more interested in the card game than the training, I think it is best to accept this will happen, people learn better if they are alert and engaged so .........

Only 1 of the 3 Guinea-pigs had previously seen the OWASP Secure Coding Practices Quick Reference Guide

Lessons Learned
(gambling, even for chips, may be an issue for some organisations / staff:  need to think about this...)
Using 'Hero Chocolates' as chips was popular
Awarding a Ginger Bread man as a Prize in addition to taking your winnings home gives you a way of finishing the session in theatrical fashion

Group size, we were 4, interested to know what group sizes games others have tried. 4 seemed to work well I would say 5 maximum.

Printing will always be a bit of a lottery. I use my home Kodak inkjet printer, set to best quality. Just an observation ,,,, it takes time to print out and push out the cards
Next time I will run this through a Colour Laser printer in the office, as some of the suits were hard to read (background colour too pastel).

Opinions on the readability of the text varied from, 'Hard to read' to 'just fine what are you talking about'! (probably fine for all on a laser printer)

Next step.
Run 2 more training session alter this week

Finally a big thank you to all who contributed to putting this together, it must have taken a lot of time.

Ken Ferris
Enterprise Security Architect

Travelex - www.travelex.co.uk

Travelex UK Limited is a limited company registered in England and Wales with 
company number 01985596 and registered office at 65 Kingsway, London WC2B 6TD.

Information in this email including any attachment ('email') is confidential, 
may be privileged and is intended solely for the addressee. Unauthorised 
recipients are requested to preserve the confidentiality of this email, advise 
the sender immediately of any error in transmission, and then delete the email 
from the recipient's mailbox without making copies. Any disclosure, copying, 
distribution or action taken, or omitted to be taken, in reliance upon the 
contents of this email by unauthorised recipients is prohibited and may be 

Please note that no contracts or commitments may be concluded on behalf of 
Travelex UK Limited or its group companies ('Travelex') by means of email, and
no statement or representation made in this email is binding on behalf of Travelex.

DISCLAIMER: Whilst this message has been scanned for viruses, Travelex
disclaims any responsibility or liability for viruses contained therein. It is
therefore recommended that all emails should be scanned for viruses.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_cornucopia/attachments/20130625/a251270d/attachment.html>

More information about the Owasp_cornucopia mailing list