OWASP Application Security Curriculum Project

Track:OWASP Projects
When:Tue PM-2
OrganizersAdrian Winckles Adrian Winckles , John DiLeo John DiLeo
ParticipantsBjoern Kimminich Bjoern Kimminich , John Ellingsworth John Ellingsworth


Part of OWASP’s main purpose is to “Be the thriving global community that drives visibility and evolution in the safety and security of the world’s software”. A key part of that mission is to educate not just the current generation of developers or information security professionals, but also the next generation, particularly in the context of the acknowledged skills shortage in the security sector.

A common problem with many security education programmes (whether cyber or InfoSec) or even traditional computer science programmes is that they do not address application security adequately, if at all. In some regions, attempts have been made to address this deficit.

In the UK for example, ISC2 and the BCS are working on an initiative to embed security firmly within the Computer Science curriculum, with an emphasis on secure coding techniques. OWASP, through my involvement, also champions this initiative.

There is an opportunity for OWASP to pull together its wide-ranging expertise, projects, and dedicated volunteers to engage in these types of education programmes and initiatives by developing an educational strategy for undergraduate and postgraduate students. This could take the form of an open “Standard” curriculum template which can be adopted and adapted by diverse educational partners and organisations. Such a template would also give a useful starting point or reference document for when we engage with other professional bodies.


The deliverables for this project would be:

  1. Identify and recommend a number of Application Security Learning Outcomes*1
  2. Link the identified learning objectives to available or required resources
  3. Produce an open curricula for industry


Deliverable #1

Would be to undertake a gap analysis of existing and missing curricula requirements.

This will be achieved through literature reviews, surveys/interviews with industry, information gathering advice from professional bodies.

The anticipated generated deliverables would be a number of academic papers in the fields of a) security and/or b) learning and teaching.

Deliverable #2

Would be to undertaken a gap analysis of existing and missing teaching resources.*2

This will be achieved through a discovery workshop and industry visits.

The anticipated generated deliverables would be a number of academic papers and a definitive list submitted to OWASP for new project requirements.

Example of Available Opensource Resource/LO mapping (what go, what is missing, what needs improving): RESOURCE LO#1 LO#2 LO#3 LO#4 etc…


Cheatsheets Webgoat Hackademic Security Shepherd JuiceShop


Deliverable #3

Would be to develop a learning skills framework suitable for industry, with the approval of OWASP.

Information gathering will be achieved via industry outreach and visits to confirm the framework meets industry requirement.

The anticipated generated deliverables would be an industry focused academic curriculum conference.


  • Application Security Trainers
  • CISO’s
  • Talent Acquisition
  • Developer Leads
  • Academics

Working materials


Register as participant

To register as participant add OWASP Application Security Curriculum Project to either:

  1. the sessions metadata field from your participant's page (find your participant page and look for the edit link).
  2. or the participants metadata field from this git session page

Back to list of all Working Sessions