Threat Modelling Practitioner Training

None

Audience

Engineers, architects, solutions consultants, project managers, scrum masters and security professionals.

• The why, what, how, and when of threat modelling
• How to create and update a threat model
• How to create an actionable threat model with your stakeholders
• How to organise and prepare efficient threat modelling workshops
• How to explain the methodology and need for threat modelling to others
• Diagramming techniques, including Data Flow Diagramming
• Threat identification techniques, including STRIDE and attack trees
• How to carry out technical risk rating using the OWASP risk rating methodology
• How to mitigate security and privacy threats with standard mitigations
• The soft skills that will make you a better threat modeler

Live Use Case ‘Client’ Scenario specific learning outcome.

Week 1: Threat modeling introduction (self-paced)

• Threat modeling in a secure development lifecycle
• What is threat modeling?
• Why perform threat modeling?
• Threat modeling stages
• Different threat modeling methodologies
• Documenting a threat model

Week 2: Diagrams – what are you building? (self-paced & live lab)

• Understanding context
• Doomsday scenarios
• Data flow diagrams
• Trust boundaries
• Hands-on: Diagramming web and mobile applications, sharing the same REST backend

Week 2: Identifying threats – what can go wrong? (self-paced & live lab)

• STRIDE introduction
• Threat tables
• Hands-on: Threat modeling an IoT gateway with a cloud-based update service
• Attack trees
• Attack libraries
• Hands-on: Get into the attacker's head – modeling points of attack against a CNI facility

Week 3: Addressing each threat (self-paced & live lab)

• How to address threats
• Mitigation patterns
• Setting priorities through risk calculation
• Risk management
• Threat agents
• The mitigation process
• Threat mitigations for microservices and S3 buckets in a payment service
• Hands-on: threat modeling the DevOps CI/CD pipeline

Week 4: Threat modeling tooling and resources (self-paced)

• Open-Source & free tools
• Commercial tools
• Hard copy
• Online resources
• Threat modeling community
• Example threat models

Month 2: Bring your own case (self-paced & live lab)

• Bring your own threat model – Customer Specific
• Transfer activities
• Mentoring
• Review session

This course, also includes a complimentary online Certified Threat Modelling Practitioner exam, provided by Toreon.