Application Security BSc/Masters Curriculum Design


This Working Session will explore the possibility of OWASP developing an educational strategy for security programmes at both undergraduate and postgraduate levels.

Part of OWASP’s main purpose is to “Be the thriving global community that drives visibility and evolution in the safety and security of the world’s software”. A key part of that mission is to educate not just the current generation of developers or information security professionals, but also the next generation, particularly in the context of the acknowledged skills shortage in the security sector.

A common problem with many security education programmes (whether cyber or InfoSec) or even traditional computer science programmes is that they do not address application security adequately, if at all. In some regions, attempts have been made to address this deficit. In the UK for example, ISC2 and the BCS are working on an initiative to embed security firmly within the Computer Science curriculum, with an emphasis on secure coding techniques. OWASP, through my involvement, also champions this initiative.

There is an opportunity for OWASP to pull together its wide-ranging expertise, projects, and dedicated volunteers to engage in these types of education programmes and initiatives by developing an educational strategy for undergraduate and postgraduate students. This could take the form of an open “Standard” template which can be adopted and adapted by diverse educational partners and organisations. Such a template would also give a useful starting point or reference document for when we engage with other professional bodies.


  • What aspects of Application Security knowledge and skills does industry need?
  • What problems relating to application security does the next generation of graduate software developers, computer scientists and security analysts need to solve?
  • Establish a core set of learning objectives for BSC/MSc level Application Security curricula
  • Establish which OWASP Projects are useful to help shape and support curricula in Application Security
  • Determine a mechanism by which regional/local deliveries of the curriculum could be supported by the OWASP community (for example, OWASP supporters on validation panels, critical friend on module design, guest lectures and training academics)


This Working Session will deliver the following documents:

  • a core set of learning objectives for BSC/MSc level Application Security curricula
  • a strategy for the OWASP community to support AppSec curricula

Synopsis and Takeaways

This session supported the need for a generic curriculum for application security in university BSC/MSC programs. This involved particular patterns of delivery and how deep/complex the curriculum needed to be. The session looked for a first step strategy, for further discussion at subsequent meetings. The major takeaway was an agreement that there is not enough APPSEC in educational curriculums. The solution is to have a low-level set of core learning objectives, that can be incorporated by secondary educational institutions. A modular set of advanced learning objectives to be built for higher educational settings, based around Builder, Breaker, and Defender frameworks.


Summit Exit Survey

What are the three top APPSEC Skills or Knowledge required from newly appointed graduate:

A) Own Department:




B) Subsequent Departments you interface with:





  • Completion of an exit survey
  • A wider strategy than BSC/MSC, that combines OWASP strategic strengths
  • Agreement that there is not enough AppSec in educational curricula
  • Prioritise/Rank learning objectives
  • Creation of an Educational Diagram

Educational Diagram


The target audience for this Working Session is:

  • OWASP project leaders whose projects have an educational element (probably all OWASP Project leaders)
  • Application Security trainers
  • Academics involved in AppSec and InfoSec
  • Any employer involved in recruiting graduates into application security related roles
  • Other organisations/professional bodies interested in Application Security educational programmes

Working materials

  • draft learning objectives for BSC/MSc level Application Security curricula
  • draft strategy for the OWASP community to support AppSec curricula

Back to list of all Working Sessions and Tracks

Edit this page here