I have been taking Application Security workshops for the developers, architects and testers for more than 3.5 years now and I thought to share my experience of taking these AppSec Workshops and talking to the folks around in the workshops....
Here are a bit of experiment to share my learning's for everyone's benefit....
1. Requires Art to Involve Developers: While trying to talk to developers and breaking their myths about security, I have realized that the workshop needs a great deal of involvement.
"Tell me and I forget, teach me and I may remember, involve me and I learn" - Benjamin Franklin, is the perfectly apt for these kinda workshops too. Dealing with developers, I had to engage with them to make and help them realize the impact of security in building software. Giving real life examples - and perhaps by excitement, involving them by fun, through relevancy, through problem solving and through emotions.
2. Requires Art that can create excitement: Very often it is important that I need to bring in the momentum by showcasing demonstrations that brings in the excitement and keeps it up. I have realized some pitfalls too. Thinking that people would get excited as soon as they hear about an opinion or about a product, Thinking that the audience would be automatically enthusiatic if I am & Thinking I can create excitement by hitting the audience with "Everything I have got".
I started to engineer "kickers" for my audience. For example, once I said them I am going to show a magic. I have got a magic software in which if you enter your details tells something about your personal life. This created an atmosphere of curiousity & skepticism where people started thinking how can this be and how true it is. Smart people started thinking from where can I can hack their personal information. :) Whatever, but the faces from audience could tell me that all eyes were hitting me constantly, on all my moves and all the words I speak. In reality, I had done some background work for my audience to find their personal information from different people / places / sites that I knew and would be really interesting to them that others knew about it. I leave it to you to guess what all these things can be.. !! But my main aim was to make them think about where have they leaked this sensitive information, how it has been, make them think of a situation that if this data is misused what can happen, and finally for a day I wanted them to think like ATTACKERS ... So yes, the kicker worked both in creating the excitement as well as having them into the workshop with a different attitude. Thereon, I have been always trying to engineer different "kickers" for my workshops and fortunately most of them have been working superbly.
3. Requires Persuasion with stories at times: Story telling reveals meaning without committing the error of defining it. Stories are great persuaders because they create a sympathetic emotional response with an audience. For example, sharing some of my conversations with customers regarding security related defects, sharing the managers capability to overcome all the budget issues and still fix security defects and it used to make a difference. Crunch is if I tell the audience about the most embarassing thing that ever happened to me, every member, on some level, was thinking either about the similar moment is their lives or how they feel if put into my situation. Emotions in the stories were helping me guide the decisions and can be a catalyst in helping the audience gain acceptance quickly.
4. Workshop that persuades with humour: The audience laugh could connect better and could make points memorable. It used to be like pleasant lubricant to the flow of information. More than that, I could feel completely in control when I can hear a wave of laughter coming back at me that I have caused. So this comedy was very controlling. I also prepared savers. Not every joke works !! A piece of self deprecating humour after the joke bombs. The key aspects I learnt while practising in every workshop were, I had to memorize the punch lines, try to localize the humour, deliver key phrases in the setup slowly and clearly, let the people know when the punch line is coming & after the joke bombs, pause & wait for laugh and regain control over the audience. :)
In different workshops, I tried different things. Sometimes adding humour to introduce myself, adding humour to introduce a subject, to reinforce a key point after I had made it, to diffuse anger or hostility at times or to diffuse criticism.
5. The Day that Inspires: I always used to dream that my workshop day should be one where everyone considers leaving their current job and thinks to work with me.... hahaaa...I knew it's not possible. I only wanted them to be inspired by what I can present. Every developer had to be told there is much more than just the functionality of the software and the standard security measures they had been taking. It had to be a presentation that inspires, presents an action, if taken, will connect my audience to something extremely great or meaningful. I used to think that you have to be a gifted genius, a sainted visionary or touched by great spiritual force to inspire the audience, but I was wrong. Slowly I learnt the way to inspire, creating a vision, asking deep in heart - "what does my audience need or want to believe?",looking for greatness in small everyday type software development practices. I knew if the vision sticks, it was time of call to action.
6. Welcoming to the Real Security Perception: Most of my audience would come in carrying a very different perception of what security is, how much security is required and how it can be bolted in. The challenge was to change the perception. If the audience has a negative attitude towards a proposal, it will be hard to win an approval. Every attitude is formed from the initial perceptions that created it. Change those perceptions & you can change the attitude. Change the attitude and a new behaviour can be followed. This is what I did learn while all these workshops. I often redefined their process of evaluating the software security, the attributes, the nice to have features, the must have features, etc.