What would be your #1 goal for the training, and how would you be able to measure success? It's great to have knowledge of all OWASP top 10, but it's unlikely to be internalized through single training sessions. Maybe a case-study approach would serve you better, e.g. look for writeups of bugs found by HackerOne or BugCrowd researchers and extrapolate/fictionalize an entire attack tree from there.
Why are experienced and inexperienced people together in the same training session? Do experienced people just attend for annual security training requirements?
Could you provide tools for people to pentest their dev/staging environments? For example, are people aware of tools like sqlmap and OWASP ZAP. ZAP HUD was pretty fun to use because it requires less application switching.
What would be your #1 goal for the training, and how would you be able to measure success? It's great to have knowledge of all OWASP top 10, but it's unlikely to be internalized through single training sessions. Maybe a case-study approach would serve you better, e.g. look for writeups of bugs found by HackerOne or BugCrowd researchers and extrapolate/fictionalize an entire attack tree from there.
Why are experienced and inexperienced people together in the same training session? Do experienced people just attend for annual security training requirements?
Could you provide tools for people to pentest their dev/staging environments? For example, are people aware of tools like sqlmap and OWASP ZAP. ZAP HUD was pretty fun to use because it requires less application switching.