2-DAY TRAINING 1 – Advanced Whiteboard Hacking – AKA Hands-On Threat Modeling




CAPACITY: 15 pax




As highly skilled professionals with years of experience under our belts we know that there is a gap between academic knowledge of threat modeling and the real world.

To minimize that gap we have developed a 2-day course with practical use cases, based on real world projects. Each use case includes a description of the environment, together with questions and templates to build a threat model. Students will be challenged in virtual breakout rooms of 3 to 4 people to perform the different stages of threat modeling on the following:

  • B2B web and mobile applications, sharing the same REST backend
  • An Internet of Things (IoT) deployment with an on premise gateway and a cloud based update service
  • OAuth scenarios for an HR application
  • Privacy of a new face recognition system in an airport

After each hands-on workshop, the results are discussed, and students receive a documented solution. Based on our successful trainings in the last years we have received great and positive feedback:

“Sebastien delivered! One of the best workshop instructor’s I’ve ever had.”

“Very nice training course, one of the best I ever attended.”

“I feel that this course is one of the most important courses to be taken by a security professional.”

“The group hands-on practical exercises truly helped.”

Key Learning Objectives

  • Cover the 4 main steps of creating and updating an effective threat model
  • Use threat model as part of secure design of systems and to more efficiently scope pentesting
  • Use threat modeling as a way to learn, model and communicate with security and development teams and build bridges between them.

Who Should Attend

This course is aimed at software developers, architects, system managers or security professionals.

Prerequisite Knowledge

  • Before attending this course, students should be familiar with basic knowledge of web and mobile Applications, databases & Single sign on (SSO) principles.

Hardware / Software Requirements

  • Stable internet access
  • Access to your own laptop or tablet
  • Ability to participate in MS Teams virtual meetings
  • Ability to participate in dedicated private Slack channels created for the training.

What Students Will Be Provided With

  • Hand-outs of the presentations
  • Work sheets of the use cases
  • Detailed solution descriptions of the use cases
  • Template to document a threat model
  • Template to calculate risk levels of identified threats
  • Receive certificate: Following a successful exam (passing grade defined at 70%) the student will receive certification for successful completion of course

Agenda – Day 1:

Threat modeling introduction

  • Threat modeling in a secure development lifecycle
  • What is threat modeling?
  • Why perform threat modeling?
  • Threat modeling stages
  • Different threat modeling methodologies
  • Document a threat model

Diagrams – what are you building?

  • Understanding context
  • Doomsday scenarios
  • Data flow diagrams
  • Trust Boundaries
  • Sequence and state diagrams
  • Advance diagrams
  • Hands-on: diagram B2B web and mobile applications, sharing the same REST backend

Identifying threats – what can go wrong?

  • STRIDE introduction
  • Spoofing threats
  • Tampering threats
  • Repudiation threats
  • Information disclosure threats
  • Denial of service threats
  • Elevation of privilege threats
  • Attack trees
  • Attack libraries
  • Hands-on: STRIDE analysis of an Internet of Things (IoT) deployment with an on premise gateway and secure update service

Agenda – Day 2:

Addressing each threat

  • Mitigation patterns
  • Authentication: mitigating spoofing
  • Integrity: mitigating tampering
  • Non-repudiation: mitigating repudiation
  • Confidentiality: mitigating information disclosure
  • Availability: mitigating denial of service
  • Authorization: mitigating elevation of privilege
  • Specialist mitigations
  • Hands-on: threat mitigations OAuth scenarios for web and mobile applications

Privacy threat modeling

  • GDPR
  • Privacy by design
  • Privacy impact assessment (PIA)
  • Privacy threats
  • Mitigating privacy threats
  • Hands-on: privacy threat modeling of face recognition system in an airport

Advanced threat modeling

  • Typical steps and variations
  • Validation threat models
  • Effective threat model workshops
  • Communicating threat models
  • Updating threat models
  • Remote threat modeling
  • Threat models examples: automotive, industrial control systems, IoT and Cloud

Threat modeling resources

  • Open-Source tools
  • Commercial tools
  • General tools
  • Threat modeling tools compared


  • Hands-on examination
  • Grading and certification

Location: Training Rooms Date: July 20, 2020 Time: 9:00 am - 6:00 pm Sebastien Deleersnyder