TMP - Threat Modelling Professional

Learn how to start threat modeling applications without being held off by paperwork. In this course we will introduce the concept of threat modelling for web, cloud and mobile applications.

This is a full 8 hours hands-on course where you will learn the practical fundamentals of threat modelling and how to apply it as part of the SSDLC. Learn how to use STRIDE, MITRE ATT&CK, and OWASP standards to identify threats in your applications.

Prerequisites

  • Interest in security

Target audience

  • Security Engineers

  • Security Champions

  • DevOps

  • Developers

  • Cloud Engineers / Operations

  • Product Owners

Abstract

Threat modeling is one of the most important activities in secure software development. This course is designed to give students a practical understanding of Threat Modeling, through whiteboard exercises, real case scenarios, tools, and techniques available in the security industry. The course is project-oriented. Students will go over hands-on labs together with the trainer and solve some of the challenges presented. During the course, other concepts like Secure Coding Principles, Security Requirements, Agile Threat Modelling, Threat Modelling as Code, and Cloud Security will be introduced. This is to ensure that students have a complete overview of the differences and the output of each phase.

Syllabus

ModuleTopicTime

Secure Software Development Lifecycle

From SDLC to SSDLC (shift left)

OWASP Top 10 2021 introduction

Design Review, Threat Model and secure CI/CD pipeline introduction

DevOps to DevSecOps: how to

Secure design

Secure Design principles

OWASP ASVS V4

From user cases to abuse cases

From abuse cases to security requirements

LAB: OWASP SKF introduction

Practical Threat Modelling

The STRIDE framework: what is it and how to use it

Threat rating methodologies (CVSS , DREAD)

Threat actor centric modeling Approach (MITRE ATT&CK)

LAB: Whiteboard exercise

Web application threat model

Cloud Threat Modelling

Differences between Cloud and Web Threat Modelling

The Egregious Eleven (CSA)

Tesla in depth practical example

Cloud Security Requirements

CSA Cloud Control Matrix: How to use it

STRIDE and the Egregious Eleven for Cloud environments

AWS Threat Modelling

LAB: Whiteboard exercise

Cloud Security Threat Modelling

Mobile Threat Model

OWASP MASVS

Top Threats in Mobile applications: OWASP Top 10

STRIDE for Mobile applications

LAB: Whiteboard exercise

Android Application Threat Model

Agile Threat Model

Threat Model for DevSecOps

Rapid and Continuous Threat Modelling Assessment: microservices

LAB: Hands-on

Threat Model as Code

Automate your remediation tests: BDD testing

LAB: Hands-on

Build your first BBD test in Cucumber

Tools and technologies

Documentation

How to store threats, issues and remediations

Confluence and JIRA

Why should you attend this course?

This course will teach how to start securing application and cloud infrastructure as early as possible, giving you the knowledge and the tools required to perform Threat Model exercises with your team.

More info? Contact us at trainings@dcodx.com

Last updated