- Threat Modelling
Trainer Name: Geoff Hill
Title: Threat Modelling
Duration: 4 Days
Dates: 1st - 4th March 2021
Time: 10:00 AM to 2:00 PM IST
Delivery Mode: via Zoom.us and Discord Platform
The learning path covers why we need to do security architectural and design analysis & threat modelling as part of our secure software development lifecycle. This is even more important today, with high-volume code turnarounds which can create a huge amount of system dependencies in a short period of time.
Will start with the introduction to threat analysis using the attack kill-chain, defense-in-depth, and security framework integration (STRIDE, OWASP Top 10). There will be several small labs during the session. It will also cover the basics of a threat model exercise. we will explore the elements of a threat model and how to research & discover them.
We will understand:
- Security threat frameworks
- Attack Kill Chain
- Att&ck matrix (from Mitre)
- Defense-In-Depth model
- Open Systems Interconnectivity model (OSI)
- OWASP Top 10 (OT10)
- Common Weakness Enumeration (CWE)
- Relations between threat frameworks
- Attack Kill Chain to STRIDE
- Attack Kill Chain to Att&ck
- Defense-In-Depth to OSI
- STRIDE to OT10
- Threat model elements
- How stakeholders link to assets and security risk
- How threats and threat agents link to vulnerabilities and mitigations ◦ How to quantify threat agents for critical software systems
And you’ll be able to:
- Use the threat frameworks to assess threats
- Use the relationship between frameworks to speed up threat discovery
- Use the relationship between frameworks to build faster mitigation plans
- Assess the danger of classes of threat agents
- Use different types of threat modeling based on time available and criticality
Then we will start by going over the approach to threat modeling in real-world scenarios. The Rapid Threat Model Prototyping (RTMP) methodology will then get introduced, framed by secure Agile Architecture practices. It will finish with a big lab that combines all the concepts from the start.
We will understand:
- Threat model steps
- When to do different types of threat models
- How to identify access control dangers in threat model data flows
- How Business strategies drive strategic architecture decisions
- Strategic and tactical Agile secure architecture principles
- Rapid Threat Model Prototyping and how it works in DevOps
And you’ll be able to:
- Derive strategic secure architectural requirements from business requirements
- Integrate threat model steps into an Agile workflow
- Create good fidelity threat models faster and within Agile sprints
Who Should Attend
This training is for you because
- You’re an architect, developer, tester, security specialist
- You work with modern software development
- You want to become a security architect or SME
- Technical knowledge with building software Recommended reading preparation
- Threat Modeling: Designing for Security By Adam Shostack
- Developer-Enabled Threat Modeling By Izar Tarandach and Matthew J. Coles
- GitHub “rapid-threat-model-prototyping-docs”
Geoff is the founder of Tutamantic Sec and the creator of the open-source Rapid Threat Model Prototyping methodology in addition to the Tutamen automated threat modelling SaaS product. He is current working as the head application security architect for a financial commodities firm in London.
He built up his work experience initially by building Wall Street trading platforms including a fair-value options pricing suite that sold results daily on the New York Commodities Exchange.
As a global technology leader he has nearly 3 decades of software design, development and security in cities around the world. This includes 8 years at Microsoft, working both as a developer/consultant and as an application security specialist. During this time he created an Agile-focussed Security Engineering process. He also developed threat model theories with the help of one of the leading threat model experts, Adam Shostack.
Geoff has provided security consultancy at Cigital, Bank of England, Sony Mobile, Visa and a number of European banks where he was the main provider of threat modelling and application security knowledge. He has also delivered security training through JB International (a global IT training company) for a number of internationally recognised companies, including the BBC.
He is active on Twitter and LinkedIn. You can contact him via @Tutamantic_Sec on Twitter.