Threat modelling is the process of identifying and finding solutions to security threats and vulnerabilities in your software. It is a fundamental working practice the modern software development team, one that enables teams to better reason about and protect their software systems from attack.
In this course, attendees will learn the ins and outs of threat modelling, covering the tools and techniques used to identify, categorise and mitigate potential threats. It is a highly practical course where participants will learn how to run an actual threat modelling workshop, working as a team to produce effective lists of threats and mitigations.
- Learn how to conduct a threat risk modelling workshop, working as a team
- How to create Data Flow Diagrams to visualise application flows and potential attack points
- Build a consistent language for categorising threats (STRIDE) and framing security discussions
Setting the Scene
- Why does security matter?
- Examples of successful compromises
- The frequency and severity of attacks
- Cataloguing your data and how it is stored
- Data Protection and Compliance Requirements
Introduction to Threat Modelling
- Advantages of performing threat modelling
- Understanding threat categories and STRIDE
- How threat modelling is used to define and understand application flaws
- Identifying critical paths in your application through data flow diagrams
- Driving effective testing through your threat model.
Running Threat Model Workshops
- Practical tools for running a collaborative threat modelling workshop
- How to produce meaningful lists of threats and mitigations through incremental and speedy threat modelling.
- How to create Data Flow Diagrams to visualise critical paths in your application
- Presenting and discuss actual outputs from a threat modelling session
About The Trainer
Simon Whittaker has been providing security services & training to both local organisations and some of the world’s largest companies for over 10 years.
Simon’s background in both development & System/Network Administration provides a great view on how best to compromise and secure required services & applications while also ensuring that training courses, content & practicals can be aimed at the right audiences.
Most of Simon’s work involves working with companies to test and improve secure coding practices, penetration & security testing and providing security consultancy to companies that are keen to improve their processes & procedures.
Simon also has great experience in developing & implementing efficient and effective practices across departments to assist with securing and retaining external quality recognition such as ISO27001.
This workshop is suitable for anyone working in a software development, engineers, designers, business analysts, QA, etc - all will benefit from attending this course, ideally as a team.
Attendees should have at least 6 months industry experience to get the most out of this workshop. It is a highly practical workshop with at least 80% of your time spent modelling and working collaboratively in groups.