This is a “Train the Trainer” document, to be used by someone who wants to present this talk for an audience. If you were hoping to learn more about this topic, and not to learn how to present this talk, stop reading this document and do this instead: 1) watch the video of this talk, 2) read the blog series based on this talk and 3) follow the author of this talk to continue learning about this topic, Tanya Janca. Thanks!

Welcome, Presenter! Thank you so much for wanting to spread the word and help make the world a more secure place! This document will attempt to help you do a great job of presenting this talk, so that you look awesome and the audience learns and enjoys themselves.

Along with the video of the presentation, this document will link to all the stories, jokes and concepts you need to successfully present including PowerPoint slides.

Let’s get started, shall we?

1. Read this document in its entirety.

2. Watch the video of this talk

3. Watch the “Train the Trainer” video, a slide by slide breakdown of possible stories, concepts or ideas that you should ideally try to explain.

This presentation is just talking, no demos. You only need the slide deck and a screen.

• This guide
• PowerPoint presentation including notes for each slide (in this folder)
• Full-length recording of presentation here
• Recorded “Train the Trainer” session here

With incident response and penetration testing currently receiving most of our application security dollars, it would appear that industry has decided to treat the symptom instead of the disease.  “Pushing left” refers to starting security earlier in the SDLC; addressing the problem throughout the process.  From scanning your code with a vulnerability scanner to red team exercises, developer education programs and bug bounties, this talk will show you how to ‘push left', like a boss.

This presentation is an introduction to the topic of application security (AppSec). The focus should be ensuring the audience understands that AppSec is important to our industry, it’s something they need to work on, and most importantly, that they can do it. Attendees should walk away with a basic understanding of what the common AppSec activities are, and hopefully enough curiosity to go off and try out some of the activities for themselves.

This talk will also intro the audience to OWASP and other resources that they can use to become more knowledgable in this area. Do your best to encourage the audience to continue learning, as this talk is hopefully just the beginning of their AppSec journey.

This talk can be anywhere from 25 minutes to 45 minutes, depending upon how many stories you decide to tell for each slide.

00-05: Introduction to talk

• I wrote this talk to try to teach everyone what AppSec is, and the basics, in one sitting. All the things that I wish I knew 4 years ago.
• What is “Pushing Left”, explain concept, and that you will repeat this again, because if they only take home one concept this is the one they need to know.

5-10: Current State of Affairs
Assure the audience that you know many of them know this, but you want to ensure everyone is at the same level. This is important because many of them will know this first part and you don’t want them to leave, but also because many people think they know but are missing part of the picture.

• Information on data breaches and AppSec being the #1 cause 3 years running
• Many security teams only concentrate on the perimeter/network security and ‘enterprise security’, locking down workstations, phishing etc. Yet alls are a window directly into your network, if they are insecure.
• AppSec definition
• Penetration testing - usually invited at the end, when it’s too late
• CIA - the IT Security Mandate. Why does everyone in IT not have this memorized?

10–15: Now into Pushing Left

• Redefine “Pushing Left” with the house analogy
• Explain that to push left like a boss we need to formalize our security activities into the SDLC, launching an appsec program
• Next slides will be what an appsec program can be, organized into food. “The main course”, “Gravy” and “Dessert”

15-30:  AppSec Activities This section is general explanations of the most common appsec activities, what they mean, and common misconceptions.

• Main course - define each item, in detail, on slide
• Gravy - define each item, in detail, on slide
• Dessert - define each item, in detail, on slide

30-40: How can YOU Push Left? This section is explains what the members of the audience can start doing right away to make more secure software

• Scanning your code
• Caution about scanning your code - be careful and do not break the law!
• Threat Modelling
• Code Review
• Writing Better Code - it’s important the audience understands that this slide is about mastery, continuous learning and self-improvement and that it is not meant to make them feel they are not competent. We can all strive to be even better, now matter how great we are. There is always more.

40-45: Resources

• Lead them to the pushing left blog post series, that should give them significantly more information that they can read at their own page
• Invite them to join the OWASP Community
• If they are women invite them to join the WoSEC community
• Share the “getting started with AppSec” link, which is a series of links to free online training courses that I recommend.
• A slide about the author and where you can get more of her content
• Please feel free to add your own slide for self promotion!
• Thank you - Thank the audience for their time.

Q&A - this can take up to 20 minutes, budget an hour for this talk + Q&A if possible.

Recorded Train-The-Trainer session here

• https://aka.ms/GettingStartedWithAppSec
• Pushing Left Blog Series
• https://twitter.com/shehackspurple
• https://DevSlop.co
• https://medium.com/@SheHacksPurple
• https://youtube.com/SheHacksPurple
• https://Dev.TO/SheHacksPurple
• https://owasp.org

Content Developer & Author Tanya Janca

Published: (June 7, 2019)