Course Details
As skilled and experienced professionals we know that there is a gap between academic knowledge of threat modeling and the real world. To close that gap, we developed practical use cases, based on real-world projects. Each use case includes a description of the environment, together with questions and templates to build a threat model. Using the OWASP Application Threat Modeling methodology, we provide our students with the best training possible and the templates to incorporate threat modeling best practices in their daily work.
Students will be challenged in groups of 3 to 4 people to perform the different stages of threat modeling on:
- B2B web and mobile applications, sharing the same REST back-end
- An IoT deployment with a gateway and a cloud-based update service
- OAuth scenarios for an HR application
- Privacy of a new face recognition system in an airport
- Get into the defenders’ head, attacking a nuclear facility
Outline
Day 1
- Threat modelling introduction
- Threat modelling in a secure development lifecycle
- What is threat modelling?
- Why perform threat modelling?
- Threat modelling stages
- Different threat modelling methodologies
- Document a threat model
- Diagrams –what are you building?
- Understanding context
- Doomsday scenarios
- Data flow diagrams
- Trust boundaries
- Sequence and state diagrams
- Advanced diagrams
- Hands-on: diagram B2B web and mobile applications, sharing the same REST backend
- Identifying threats –what can go wrong?
- STRIDE introduction
- Spoofing threats
- Tampering threats
- Repudiation threats
- Information disclosure threats
- Denial of service threats
- Elevation of privilege threats
- Attack trees
- Attack libraries
- Hands-on: STRIDE analysis of an Internet of Things (IoT) deployment with an on-premise gateway and secure update service
Day 2
- Addressing each threat
- Mitigation patterns
- Authentication: mitigating spoofing
- Integrity: mitigating tampering
- Non-repudiation: mitigating repudiation
- Confidentiality: mitigating information disclosure
- Availability: mitigating denial of service
- Authorization: mitigating elevation of privilege
- Specialist mitigations
- Hands-on: threat mitigations OAuth scenarios for web and mobile applications
Target Audience
Threat modeling is a crucial technique to assure more secure software and systems. The OWASP Application Threat Modeling training will provide our students with the know-how, templates, and exercises to start threat modeling themselves. Key takeaways are:
- becoming a better (security) professional
- understanding the process and technique of threat modeling
- knowing when and how to introduce and improve threat modeling
Prerequisites
Students should be familiar with basic knowledge of web and mobile applications, databases & Single sign-on (SSO) principles