THIS CLASS IS NOW BEING HELD ONLINE FOLLOWING SINGAPORE TIMEZONE (CET +6)
DURATION: 2 DAYS
CAPACITY: 15 pax
SEATS AVAILABLE: CLASS CANCELLED
As highly skilled professionals with years of experience under our belts we know that there is a gap between academic knowledge of threat modeling and the real world.
To minimize that gap we have developed a 2-day course with practical use cases, based on real world projects. Each use case includes a description of the environment, together with questions and templates to build a threat model. Students will be challenged in virtual breakout rooms of 3 to 4 people to perform the different stages of threat modeling on the following:
B2B web and mobile applications, sharing the same REST backend
An Internet of Things (IoT) deployment with an on premise gateway and a cloud based update service
OAuth scenarios for an HR application
Privacy of a new face recognition system in an airport
After each hands-on workshop, the results are discussed, and students receive a documented solution. Based on our successful trainings in the last years we have received great and positive feedback:
“Sebastien delivered! One of the best workshop instructor’s I’ve ever had.”
“Very nice training course, one of the best I ever attended.”
“I feel that this course is one of the most important courses to be taken by a security professional.”
“The group hands-on practical exercises truly helped.”
Key Learning Objectives
Cover the 4 main steps of creating and updating an effective threat model
Use threat model as part of secure design of systems and to more efficiently scope pentesting
Use threat modeling as a way to learn, model and communicate with security and development teams and build bridges between them.
Who Should Attend
This course is aimed at software developers, architects, system managers or security professionals.
Before attending this course, students should be familiar with basic knowledge of web and mobile Applications, databases & Single sign on (SSO) principles.
Hardware / Software Requirements
Stable internet access
Access to your own laptop or tablet
Ability to participate in MS Teams virtual meetings
Ability to participate in dedicated private Slack channels created for the training.
What Students Will Be Provided With
Hand-outs of the presentations
Work sheets of the use cases
Detailed solution descriptions of the use cases
Template to document a threat model
Template to calculate risk levels of identified threats
Receive certificate: Following a successful exam (passing grade defined at 70%) the student will receive certification for successful completion of course
Agenda – Day 1:
Threat modeling introduction
Threat modeling in a secure development lifecycle
What is threat modeling?
Why perform threat modeling?
Threat modeling stages
Different threat modeling methodologies
Document a threat model
Diagrams – what are you building?
Data flow diagrams
Sequence and state diagrams
Hands-on: diagram B2B web and mobile applications, sharing the same REST backend
Identifying threats – what can go wrong?
Information disclosure threats
Denial of service threats
Elevation of privilege threats
Hands-on: STRIDE analysis of an Internet of Things (IoT) deployment with an on premise gateway and secure update service
Agenda – Day 2:
Addressing each threat
Authentication: mitigating spoofing
Integrity: mitigating tampering
Non-repudiation: mitigating repudiation
Confidentiality: mitigating information disclosure
Availability: mitigating denial of service
Authorization: mitigating elevation of privilege
Hands-on: threat mitigations OAuth scenarios for web and mobile applications
Privacy threat modeling
Privacy by design
Privacy impact assessment (PIA)
Mitigating privacy threats
Hands-on: privacy threat modeling of face recognition system in an airport
Advanced threat modeling
Typical steps and variations
Validation threat models
Effective threat model workshops
Communicating threat models
Updating threat models
Remote threat modeling
Threat models examples: automotive, industrial control systems, IoT and Cloud