Trainer Name: Geoffrey Hill

Title: Rapid Threat Model Prototyping (RTMP)... threat modeling optimized for Agile (finally)!

Duration: 3 Days

Dates: Sept. 6, 2022 To Sept. 8, 2022

Training Objectives

The overall objective of the Rapid Threat Model Prototyping course is to provide the delegates with a structured and streamlined method to integrate threat modeling into a modern, quick-paced development environment. Delegates will achieve the following 3 training goals:

Goal 1: Clear understanding of why traditional threat modeling fails when applied to a modern software workflow
Goal 2: How to analyze, use and link publicly available security frameworks (e.g. OWASP Top 10, Mitre CWE, AWS, Azure)
Goal 3: Introduction to the structure of Agile Architecture and Rapid Threat Model Prototyping, and their integration into an Agile-based environment

Training level: Intermediate; Advanced

Training Outline

The following modules will be presented to the class:

Day 1
Module 1 - Why do Threat Modeling? (Introduction and background)
Module 2 - Conceptual Threat Frameworks (STRIDE, OWASP Top 10, Mitre CWE, Mitre Att&ck)

Day 2
Module 3 - Threat Model Decomposition (what elements make up a threat model)
Module 4 - Threat Modeling 101 (the basics of how to do a threat model)

Day 3
Module 5 - Rapid Threat Model Prototyping (Agile Architecture process and integrating new steps)
Module 6 - Lab (putting all the previous modules together in a large lab)

There will be a number of smaller labs and presenter-led discussions per module. All labs are group-based, as opposed to individual activities. This model is what takes place in actual work environments.




What to Bring?

Each Delegate should bring along a laptop with access to a technical drawing tool such as draw.io or Lucidcharts.

Training Prerequisites

There are no specific pre-requisites for this course. However, a general understanding of development practices and a broad understanding of current threats would be desired.

Delegates should read Adam Shostack's seminal book, "Threat Modeling: Designing for Security" to get an understanding of what threat modeling is and how it works.

There are group discussions and instructor-led ‘hands-on’ labs within each module of this course. Delegates can observe the instructor's demonstrations or engage fully with each hands-on lab, subject to experience.

Who Should Attend?

The intended audience for this course is primarily system Developers, Designers, and Architects. Plus anyone with an interest in building and maintaining a secure systems lifecycle.

What Attendees will get?

Delegates will get a collection of supporting documents regarding the course contents.

What to Expect?

Delegates will understand how to leverage current, well-known security frameworks when developing out living threat models that can be quickly created and maintained in an Agile environment.

What not to Expect?

This is not a secure coding course. It is not a threat hunting course. It is not an Agile course.

This course covers the methods, processes, and frameworks that are crucial for designing secure software systems.

About the Trainer

Geoff Hill worked for the past 5 years on Wall Street as a commodities trader. He created an options pricing program and sold the results daily on the NYC Commodities Exchange. He spent 8 years at Microsoft and created an Agile-focused SDL process for our customers.

Geoff has also developed threat model theories with Adam Shostack, the leading threat model specialist in the world. He worked for Cigital (a specialist security firm) for 2 years and then spent 4 years as a software security architect for Visa Europe. He has been a threat modeling and application security trainer for 10+ years.

Most importantly, he is a co-founder of an Agile-based threat model consultancy and the creator of the Tutamen automated threat modeling SaaS product (founder of Tutamantic_Sec).