Threat-modeling

Training Objective

Threat Modeling is considered an essential activity in the modern Software Development Life-cycle. It helps in identifying threats and possible vulnerabilities early, to a point where, if done correctly, the vulnerability never surfaces in a given environment or application. However, Threat Modeling is done ineffectively by most organizations. Threat Modeling has been reduced to infrequent and ineffective process. Most organizations do Threat Modeling for large systems, resulting in a “boil the ocean” effect, leading to ineffective Threat Analysis. Worse, this has no meaning or bearing on engineering and product teams that actually deliver these applications to customers.

 

What attendees will learn?

 

This training focuses on delivering effective Threat Modeling in the Agile SDLC. The training takes battle-tested threat modeling principles and methodologies and trains students on how they can implement an effective, yet efficient Threat Model in a time and resource constrained Agile (and DevOps) driven SDLC.

 

we45 - An Advocate for Actionable TM

we45 is a vocal proponent of actionable threat modelling. we45's much lauded open source project Threat Playbook has been showcased at marquee application security conferences across the world.
Threat playbook showcased at OWASP Seasides
Threat Playbook showcased at blackhat arsenal 2018
we45's Threat Modeling talk at AppSecDay 2018, Melbourne

Frequently Asked Questions

What would I be able to achieve through this training?

This training will help attendees develop a deep understanding of threat modeling practices and concepts. Additionally the training demonstrates threat modeling per feature which would help attendees achieve iterative threat modeling in an agile SDLC.

How would this program benefit Security and Product Engineers?

Threat modeling brings development and security teams closer. Security professionals better understand the architecture and workflow of the product while developers learn more about security threats specific to their product. Threat modeling therefore helps these teams to better appreciate what the other does, enabling better acknowledgement of security controls and remediation strategies.

Contact Us For a Detailed Course Agenda

Additional Resources

Threat Model like Sherlock Blog we45

Threat Model, like Sherlock!

While Sherlock is a fictional character, we can draw certain parallels to application security from his approach to deductive investigation. Sherlock uses something akin to a Threat Modeling approach to encompass for all factors prior to making deductions.

Abhay Bhargav - we45-01

we45 Webinar

No actionable outputs usually emerge from Threat Modeling and thereby, the activity is relegated to the status of a "Policy/Best Practice Document". We believe that threat models are playbooks of product security engineering and thus, we feel that the best way to conduct it is by integrating it into the Software Development Lifecycle (SDLC).

Threat Playbook

Open Source Project: Threat Playbook

It is our belief that Threat Models should produce actionable outputs. Which is why, we have developed “ThreatPlaybook" - an open source "Threat Modeling as Code" framework, that allows product teams to capture user stories, abuser stories, threat models and security test cases in YAML files.