Join our in person and virtual trainings at BlackHat, DEF CON Seattle and HITB Abu Dhabi

Secure Development Trainings

TMP – Threat Modeling Pro

This course will teach how to kickstart Threat Modeling in your development cycles

Online

Trainers

Picture of Davide Cioccia

Davide Cioccia

Founder and Principal Security Architect @ DCODX

Hi there! I’m Davide Cioccia, founder of DCODX, an ethical hacking, and DevSecOps consulting and coaching firm. Besides helping companies implement their Sec in DevOps, I’m also a developer of security tools (check our GitHub), OWASP Mobile Security Testing Guide contributor and DevSecCon Chapter Lead for the Netherlands. You can find my talks at security conferences like BlackHat, OWASP AppSec, DevSecCon, DevDays Europe and more online, together with some CVE disclosed to Microsoft and other big vendors. Enjoy my course :)

Course overview

Threat modeling is one of the most important activities in secure software development. This course is designed to give students a practical understanding of Threat Modeling, through whiteboard exercises, real case scenarios, tools, and techniques available in the security industry. The course is project-oriented. Students will go over hands-on labs together with the trainer and solve some of the challenges presented. During the course, other concepts like Secure Coding Principles, Security Requirements, Agile Threat Modelling, Threat Modelling as Code, and Cloud Security will be introduced. This is to ensure that students have a complete overview of the differences and the output of each phase.
Prerequisites
  • Interest in security
Target audience
  • Security Engineers
  • Security Champions
  • DevOps
  • Developers
  • Cloud Engineers / Operations
  • Product Owners

Syllabus

Secure Software Development Lifecycle
Design Review, Threat Model and secure CI/CD pipeline introduction
DevOps to DevSecOps: how to
Threat Model in DevSecOps
Secure Design
The OWASP Application Security Verification Standard
From user cases to abuse cases
From abuse cases to security requirements
LAB: OWASP SKF introduction
Practical Threat Modelling
The STRIDE framework: what is it and how to use it
Threat rating methodologies (CVSS , DREAD)
Threat actor centric modeling approach (MITRE ATT&CK and DEF3ND)
LAB: Whiteboard exercise: Web Application Threat Modeling
Cloud Threat Modeling
Differences between Cloud and Web Threat Modelling
Introduction to the Egregious Eleven (CSA)
Cloud Security Requirements and Threats
Case Study: AWS Threat Modelling
LAB: Whiteboard exercise: Cloud Security Threat Modeling
Mobile Threat Model
Android Application Threat Model
iOS Application Threat Model
Threat Model for DevSecOps
Rapid and Continuous Threat Modelling Assessment: microservices
LAB: Threat Model as Code
Automate your remediation tests: BDD testing
LAB: Build your first BBD test in Cucumber
Documentation
How to store threats, issues and remediations
Threat Modeling JIRA stories