Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Wednesday, June 29 • 09:00 - 17:00
Day 2/2 - Hands-on Threat Modeling

Sign up or log in to save this to your schedule and see who's attending!

Threat modeling is the primary security analysis task performed during the software design stage. Threat modeling is a structured activity for identifying and evaluating application threats and vulnerabilities. The security objectives, threats, and attacks modeling activities during the threat modeling are designed to help you find vulnerabilities in your application and the supporting architecture. You can use the identified vulnerabilities to help shape your design and direct and scope your security testing.

Threat modeling allows you to consider, document, and discuss the security implications of designs in the context of their planned operational environment and in a structured fashion. It also allows consideration of security issues at the component or application level. The threat modeling course will teach you to perform threat modeling through a series of workshops, where our trainer will guide you through the different stages of a practical threat model.

This course is aimed at software developers, architects, system managers or security professionals. Before attending this course, students should be familiar with basic knowledge of web and mobile Applications, databases & Single sign on (SSO) principles. The students should bring their own laptop to the course.

 
Course topics  
Threat modeling introduction
  • Threat modeling in a secure development lifecycle
  • What is threat modeling?
  • Why perform threat modeling?
  • Threat modeling stages
  • Diagrams
  • Identify threats
  • Addressing threats
  • Document a threat model


Diagrams – what are you building?

  • Understanding context
  • Doomsday scenarios
  • Data flow diagrams
  • Trust Boundaries
  • Hands-on: diagram B2B web and mobile applications, sharing the same REST backend


Identifying threats – what can go wrong?

  • STRIDE introduction
  • Spoofing threats
  • Tampering threats
  • Repudiation threats
  • Information disclosure threats
  • Denial of service threats
  • Elevation of privilege threats
  • Privacy threats
  • Attack trees
  • Hands-on: STRIDE analysis of an Internet of Things (IoT) deployment with an on premise gateway and secure update service

Addressing each threat

  • Mitigation patterns
  • Authentication: mitigating spoofing
  • Integrity: mitigating tampering
  • Non-repudiation: mitigating repudiation
  • Confidentiality: mitigating information disclosure
  • Availability: mitigating denial of service
  • Authorization: mitigating elevation of privilege
  • Mitigating privacy threats
  • Hands-on: Threat mitigations OAuth scenarios for web and mobile applications


Practical threat modeling

  • Strategies for risk management
  • Selecting mitigations
  • Threat ranking
  • Risk acceptance
  • Validating threat mitigations


Threat modeling tools

  • General tools
  • Open-Source tools
  • Commercial tools


Attack libraries

  • Libraries and checklists
  • CAPEC
  • OWASP Top 10
  • Building your own library


Examination

  • Hands-on examination 
  • Grading and certification
 

Student package

The course students receive the following package as part of the course:

  • Each student will receive a hard copy of the book: Threat Modeling, designing for security by Adam Shostack (2014, Wiley)
  • Hand-outs of the presentations
  • Work sheets of the use cases,
  • Detailed solution descriptions of the use cases
  • Template to document a threat model
  • Template to calculate risk levels of identified threats
  • Receive certificate: Following a successful exam (passing grade defined at 70%) the student will receive certification for successful completion of course

Trainer
avatar for Sebastien Deleersnyder

Sebastien Deleersnyder

Managing Partner, Toreon
Sebastien Deleersnyder is Co-founder & managing partner application security at Toreon.com. Sebastien has helped various companies improve their ICT-, Web- and Mobile Security, including BNP Paribas Fortis, Atos Worldline, KBC, Nationale Nederlanden (ING), Isabel, Fluxys, OLAF, EU Council, TNT Post, Flemish Community, Agfa-Gevaert and ING Insurance International. Sebastien is the Belgian OWASP Chapter Leader, co-project leader of the OpenSAMM... Read More →

Wednesday June 29, 2016 09:00 - 17:00
Bramante 09

Attendees (10)