AppSec Europe 2016 has ended
Back To Schedule
Wednesday, June 29 • 09:00 - 17:00
Day 2/2 - Hands-on Threat Modeling

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Threat modeling is the primary security analysis task performed during the software design stage. Threat modeling is a structured activity for identifying and evaluating application threats and vulnerabilities. The security objectives, threats, and attacks modeling activities during the threat modeling are designed to help you find vulnerabilities in your application and the supporting architecture. You can use the identified vulnerabilities to help shape your design and direct and scope your security testing.

Threat modeling allows you to consider, document, and discuss the security implications of designs in the context of their planned operational environment and in a structured fashion. It also allows consideration of security issues at the component or application level. The threat modeling course will teach you to perform threat modeling through a series of workshops, where our trainer will guide you through the different stages of a practical threat model.

This course is aimed at software developers, architects, system managers or security professionals. Before attending this course, students should be familiar with basic knowledge of web and mobile Applications, databases & Single sign on (SSO) principles. The students should bring their own laptop to the course.

Course topics  
Threat modeling introduction
  • Threat modeling in a secure development lifecycle
  • What is threat modeling?
  • Why perform threat modeling?
  • Threat modeling stages
  • Diagrams
  • Identify threats
  • Addressing threats
  • Document a threat model

Diagrams – what are you building?

  • Understanding context
  • Doomsday scenarios
  • Data flow diagrams
  • Trust Boundaries
  • Hands-on: diagram B2B web and mobile applications, sharing the same REST backend

Identifying threats – what can go wrong?

  • STRIDE introduction
  • Spoofing threats
  • Tampering threats
  • Repudiation threats
  • Information disclosure threats
  • Denial of service threats
  • Elevation of privilege threats
  • Privacy threats
  • Attack trees
  • Hands-on: STRIDE analysis of an Internet of Things (IoT) deployment with an on premise gateway and secure update service

Addressing each threat

  • Mitigation patterns
  • Authentication: mitigating spoofing
  • Integrity: mitigating tampering
  • Non-repudiation: mitigating repudiation
  • Confidentiality: mitigating information disclosure
  • Availability: mitigating denial of service
  • Authorization: mitigating elevation of privilege
  • Mitigating privacy threats
  • Hands-on: Threat mitigations OAuth scenarios for web and mobile applications

Practical threat modeling

  • Strategies for risk management
  • Selecting mitigations
  • Threat ranking
  • Risk acceptance
  • Validating threat mitigations

Threat modeling tools

  • General tools
  • Open-Source tools
  • Commercial tools

Attack libraries

  • Libraries and checklists
  • OWASP Top 10
  • Building your own library


  • Hands-on examination 
  • Grading and certification

Student package

The course students receive the following package as part of the course:

  • Each student will receive a hard copy of the book: Threat Modeling, designing for security by Adam Shostack (2014, Wiley)
  • Hand-outs of the presentations
  • Work sheets of the use cases,
  • Detailed solution descriptions of the use cases
  • Template to document a threat model
  • Template to calculate risk levels of identified threats
  • Receive certificate: Following a successful exam (passing grade defined at 70%) the student will receive certification for successful completion of course

avatar for Sebastien Deleersnyder

Sebastien Deleersnyder

Seba is co-founder and CEO of Toreon. He started the Belgian OWASP chapter, co-leads the OWASP SAMM project, and co-founded the yearly BruCON conference. With a background in development and many years of experience in security, Seba has trained countless developers to create more... Read More →

Wednesday June 29, 2016 09:00 - 17:00 CEST
Bramante 09