Live Online Training
Presented By: Steven Wierckx
Get More Out Of Your Models
As highly skilled professionals with years of experience under our belts we know that there is a gap between academic knowledge of threat modeling and the real world. In order to minimise that gap we have developed practical Use Cases, based on real life projects. Each use case includes a description of the environment, together with questions and templates to build a threat model. Using this methodology for the hands-on workshops we provide our students with a robust training experience and the templates to incorporate threat modeling best practices in their daily work.
Students will be challenged in groups of 3 to 4 people to perform the different stages of threat modeling on the following:
- B2B web and mobile applications, sharing the same REST backend
- An Internet of Things (IoT) deployment with an on premise gateway and a cloud based update service
- OAuth scenarios for an HR application
- Privacy of a new face recognition system in an airport
- Get into the defenders head – modeling points of attack against a nuclear facility
After each hands-on workshop, the results are discussed, and students receive a documented solution.
We will show how this methodology can be integrated into your existing processes and where tools might be of assistance. We will provide a curated list of references and reading material to use after the course.
We will finish the course with an exam to provide you with a certificate to prove your knowledge.
The 2 day course will take place online on the 14th and 15th September 2021.
The price is £1,300 (inc VAT/£1,083.33 ex VAT).
Who Should Take This Course
- Software developers
- Security and system architects
- System managers
- Security professionals
- Application security specialists
What You’ll Learn
- Cover the 4 main steps of creating and updating an effective threat model.
- Use threat model as part of secure design of systems and to more efficiently scope penetration testing.
- How to implement threat modeling both in agile and non agile organisations.
- Use threat modeling as a way to learn, model and communicate with security and development teams and build bridges between them.
- Which tools exist and where they can be of assistance.
Day 1 – Introductory Threat Modeling
- Threat modeling introduction
- Diagrams – What are you building?
- Hands-on: diagram B2B web and mobile applications sharing the same REST back-end
- Identifying threats – What could possibly go wrong?
- Hands on: STRIDE analysis of an IoT solution
- Hands on: Building an attack tree for a nuclear facility
Day 2 – Going Further
- Addressing Each Threat
- Hands-on: Threats & mitigations (OAuth) for web and mobile applications
- Privacy Threat Modeling
- Hands-on: DPIA threshold analysis: face recognition system airport
- Advanced Threat Modeling
- Hands-on: “The nuts” poker tournament
- Threat modeling tooling
- Threat modeling resources
What To Bring
- A Laptop or tablet to view course content and take the exam.
What Students Are Provided With
- Presentation hand-outs
- Use case Worksheets
- Detailed use case solution descriptions
- Threat model document template
- Risk calculation template
- Following a successful exam (passing grade defined at 70%) the student will receive certification for successful completion of course
About the Trainer
Steven Wierckx is a software and security tester with 20 years of experience in programming, security testing, source code review, test automation, functional and technical analysis, development, and database design, Steven shares his passion for web application security through writing and training on testing software for security problems, secure coding, security awareness, security testing, and threat modeling.
He is the project leader for the OWASP Threat Modeling Project and organises the BruCON student CTF. He spoke at Hack in the Box Amsterdam, hosted workshops at BruCON and DevSecCon (UK) and delivered threat modeling trainings at OWASP AppSec USA, OWASP AppSec Israel, BruCON and O’Reilly Security New York.