OWASP Application Security Curriculum Project

View the original Working Session content

Description of session

  • Introduced from academic (college leaver) and commercial (workforce training) perspectives
  • Originally presented at OWASP Global AppSec Tel Aviv Projects (26-30 May 2019)
  • Potential UK Academic funding (bid outcome due in early July 2019) to generate a generic Open Application Security Curriculum


  • Promote OWASP as the source what good application security practice looks like, and
  • Relaunch the OWASP Education Committee, because - Education is the key to the future
  • Develop links between academia and industry focusing on skills/learning objectives and resources.

Outcome Summary

  1. Establish core Learning Objectives for Application Security curriculum; define educational requirements of industry including:
    • Gap analysis of existing/missing curricula; meet industry requirements
    • Collaborate with industry, professional bodies, existing literature.
  2. Appraise state-of-the-art AppSec teaching resources and determine areas of non-coverage
    • Gap analysis of existing and missing teaching resources through discovery workshops and industry links.
  3. Recommend an AppSec security open curricula for industry
    • Produce and disseminate a learning skills framework
    • Empower academia to support industry in the problems faced in developing the next generation of graduate software developers, computer scientists and security analysts in DevSecOps
    • Address teaching requirements at undergraduate, postgraduate, apprentice, and industry certification levels
    • Get key influencer approval (i.e., OWASP); professional bodies (i.e., IISP, ISC2, CREST).
  4. Develop a curriculum roadmap with key learning outcomes linked to OWASP projects and delivered by infographic
  5. Develop a “training directory” where organisations can register their training programs according to the parts of the program they support.

Follow up

  1. Develop a questionnaire; share with OWASP Project Leader
    • Project leaders asked to share details on the skills they feel their projects offer and how they fit in existing frameworks.
  2. See how the project can work with other OWASP Projects where there may be significant overlap (e.g., SAMM)
  3. Initiate OWASP Education Committee as a way of engaging support for the project as a wider initiative within the community.

Session organiser(s)

Adrian Winckles Adrian Winckles , John DiLeo John DiLeo


Bjoern Kimminich Bjoern Kimminich , John Ellingsworth John Ellingsworth

Attached materials: