Early bird registration rate ends on the 24th of April
Based on our successful trainings in the last years, we release this updated advanced threat modeling training with even more excercises and examples. This year we introduce an extra section on “offensive threat modeling” as part of pentesting.
As highly skilled professionals with years of experience under our belts we know that there is a gap between academic knowledge of threat modeling and the real world.
In order to minimize that gap we have developed practical Use Cases, based on real life projects. Each use case includes a description of the environment, together with questions and templates to build a threat model. Using this methodology for the hands-on workshops we provide our students with a robust training experience and the templates to incorporate threat modeling best practices in their daily work.
Students will be challenged in groups of 3 to 4 people to perform the different stages of threat modeling on the following:
B2B web and mobile applications, sharing the same REST backend
An Internet of Things (IoT) deployment with an on premise gateway and a cloud based update service
OAuth scenarios for an HR application
Privacy of a new face recognition system in an airport
Get into the defenders head – modeling points of attack against a nuclear facility
After each hands-on workshop, the results are discussed, and students receive a documented solution.
Based on our successful trainings in the last years we have received great and positive feedback:
“Sebastien delivered! One of the best workshop instructor’s I’ve ever had.”
“Very nice training course, one of the best I ever attended.”
“I feel that this course is one of the most important courses to be taken by a security professional.”
“The group hands-on practical exercises truly helped.”
“hands-on labs are very well designed and the solutions are also very smart!”
Key Learning Objectives
Cover the 4 main steps of creating and updating an effective threat model
Use threat model as part of secure design of systems and to more efficiently scope pentesting
Use threat modeling as a way to learn, model and communicate with security and development teams and build bridges between them.
Who Should Attend
This course is aimed at software developers, architects, system managers or security professionals.
Before attending this course, students should be familiar with basic knowledge of web and mobile Applications, databases & Single sign on (SSO) principles.
Hardware / Software Requirements
The students should bring their own laptop or tablet to read and use the training handouts and exercise descriptions.
What Students Will Be Provided With
Hand-outs of the presentations, with notes
Whiteboard Hacking survival guide
Work sheets of the use cases
Detailed solution descriptions of the use cases
Template to document a threat model
Template to calculate risk levels of identified threats
Agenda – Day 1:
Threat modeling introduction
Offensive threat modeling for penetration testers
What is threat modeling?
Why perform threat modeling?
Threat modeling stages
Exploiting a threat model
Diagrams – what are you attacking?
Data flow diagrams
Hands-on: Attacking a B2B web and mobile applications, sharing the same REST backend
Identifying threats – how can we attack?
Information disclosure threats
Denial of service threats
Elevation of privilege threats
Hands-on: Weakness analysis of an Internet of Things (IoT) smart home deployment
Agenda – Day 2:
Authentication: mitigating spoofing
Integrity: mitigating tampering
Non-repudiation: mitigating repudiation
Confidentiality: mitigating information disclosure
Availability: mitigating denial of service
Authorization: mitigating elevation of privilege
Hands-on: get into the defenders head – modeling points of attack of a nuclear facility.
OWASP Top 10
The “Snowden” documents
Create your own attack list
Penetration testing based on threat models
Create pentest cases for threat mitigation features
Pentest planning to exploit security design flaws
Vulnerabilities as input to plan and scope security testing