Article Series: So you want to train at Black Hat (or other conferences)?
This is a series of articles about our experiences submitting, preparing and delivering training at Black Hat (and other conferences as well).
It has been quite the journey and it feels like we learnt a lot of things which were not obvious to us at the beginning or were just not documented.
In this series, we will try to set this information out in an organized way to hopefully help people in the future who are interested in going through a similar journey.
This series is ongoing with new posts released every few weeks. If you want to keep up with new posts, follow us on Twitter or LinkedIn.
Posts in this series:
- So, you want to train at Black Hat? An Introduction
-
What is my motivation? What should your motivation be?
What is my motivation? What should your motivation be?
Published on 28 January 2024 by Josh Grossman
Introduction
In this post I will give you some personal background about how I got into delivering public training courses and why.
May aim is to put some of the later chapters in perspective and also help you understand the motivation you might need to do this.
Admittedly, this chapter is more about me than it is about you so if you are already comfortable with your motivation you may want to skip to the bottom line of this chapter, what I think you need to expect from the journey.
Some background
At my previous employer, I had always looked admiringly at the posters on the wall from when my previous boss (AppSec legend, Erez Metula) had delivered some of the early mobile security training courses at Black Hat USA. By the time I started there, it was something they were no longer doing but being familiar with the prestige associated with Black Hat training courses, I always felt impressed to work for someome one who had done that.
Separately, I had also been involved with reviewing the training course submissions for Global AppSec Tel Aviv 2019, (one of the last in-person OWASP Global AppSec conferences before COVID) as well as some of the local conferences as well.
I had prepared and delivered some training courses in the past and these submission reviews meant that I was also quite familar with the application security training landscape.
Starting at Bounce Security
However, I’m not sure that my new boss (AppSec legend, AviD) had any of that in mind when he asked me, shortly after I had started working with him, if I was interested in developing any training courses. Avi is well known for his threat modeling training which he has been delivering for many years now and working with him, it was a natural thing for him to ask.
Little did we know the journey this simple question would take us on…
Scratching an itch
When I starting thinking about the answer, I thought back to a challenge I had seen at a number of recent clients. In each case, they had implemented a bunch of AppSec tools like SAST, DAST and SCA and gotten absolutely buried in findings, technical challenges and arguments about who should be fixing things. When I say challenge, I meant that this had made lots of people’s jobs a lot more unpleasant and probably caused a net damage to the overall level of application security instead of an improvement. It certainly made people hate the entire topic.
The more I thought about it, the more it seemed like a gap in a crowded market for AppSec training courses. All the training courses related to AppSec tools which I had seen seemed to focus primarilly on the technology side of the tools such as implementation and automation. Having seen these tools in real-life, it seemed like no one wanted to talk about the people and process aspects of using these tools. (Hindsight has shown how much of a problem this is in AppSec in general, not just related to tools which provided the inspiration for the next evolution of this course.)
My motivation
My depth of feeling on this topic soon led me (with Avi’s encouragement) to prepare an outline of how I would design a 2-day course based around this topic. Along the way, I brain dumped things that I felt were important content for each section, based on what I had seen and what I knew.
And this is a critical point. I don’t love designing training courses, I don’t love writing slides. Maybe some people do, I don’t know…
However, I felt strongly enough about this and was passionate enough to push through and pull all of this together. And then stick with it when things got harder later on. I was determined that this was valuable content and that I wanted to do the work to get this released.
Your motivation
The bottom line of this section is that building a course from scratch, marketing it and then finally delivering it is going to be a long and tricky road.
If you are not used to teaching or presenting then it may also take you out of your comfort zone and you may need to skill up in areas you previously were not used to such as public speaking. Make sure you are passionate enough about this path before you get started.
Next post: The financial aspect
My motivation for this was certainly not money. A lot of the time spent putting this together was in working time when we didn’t have a full project load so the time was available any way. The course revenue has covered back some of the time we put into the course, but probably not all. On the other hand, the experiences it led to certainly had value as well.
In the next blog post, I’ll go into much more detail on the financial aspects of training.
This post is part of a series: So you want to train at Black Hat (or other conferences)?
Other posts in this series:
- So, you want to train at Black Hat? An Introduction
-
What is my motivation? What should your motivation be?