?
Nnb.

Hands-on Threat Modeling aka Whiteboard Hacking

This training will take place on further notice. Signing up is possible. We wille notify you afterwords with the new date. 

As highly skilled professionals with years of experience under our belts we know that there is a gap between academic knowledge of threat modeling and the real world.

This course is powered and delivered by the experts of Toreon

To minimize that gap we have developed a 2-day course with practical use cases, based on real world projects. Each use case includes a description of the environment, together with questions and templates to build a threat model. Students will be challenged in groups of 3 to 4 people to perform the different stages of threat modeling on the following:

  • B2B web and mobile applications, sharing the same REST backend
  • An Internet of Things (IoT) deployment with an on-premise gateway and a cloud-based update service
  • OAuth scenarios for an HR application
  • Privacy of a new face recognition system in an airport

After each hands-on workshop, the results are discussed, and students receive a documented solution. Based on our successful trainings in the last years, we released this advanced threat modeling training at Black Hat USA 2019.

Some feedback from our Black Hat training attendees:

  • “Sebastien delivered! One of the best workshop instructors I've ever had.”
  • “Very nice training course, one of the best I ever attended.”
  • “I feel that this course is one of the most important courses to be taken by a security professional.”
  • “The group hands-on practical exercises truly helped.”

Keywords:

  • Threat modeling
  • Secure application design
  • Technical architecture risk analysis
  • Privacy by design

This course is aimed at software developers, architects, system managers or security professionals. Before attending this course, students should be familiar with basic knowledge of web and mobile Applications, databases & Single sign on (SSO) principles. The students should bring their own laptop to the course.

The Course

Threat modeling is the primary security analysis task performed during the software design stage. Threat modeling is a structured activity for identifying and evaluating application threats and vulnerabilities. The security objectives, threats, and attacks modeling activities during the threat modeling are designed to help you find vulnerabilities in your application and the supporting architecture. You can use the identified vulnerabilities to help shape your design and direct and scope your security testing.

Threat modeling allows you to consider, document, and discuss the security implications of designs in the context of their planned operational environment and in a structured fashion. It also allows consideration of security issues at the component or application level. The threat modeling course will teach you to perform threat modeling through a series of workshops, where our trainer will guide you through the different stages of a practical threat model.

Topics

Threat modeling introduction

  • Threat modeling in a secure development lifecycle
  • What is threat modeling?
  • Why perform threat modeling?
  • Threat modeling stages
  • Different threat modeling methodologies
  • Document a threat model

Diagrams – what are you building?

  • Understanding context
  • Doomsday scenarios
  • Data flow diagrams
  • Trust boundaries
  • Sequence and state diagrams
  • Advanced diagrams
  • Hands-on: diagram B2B web and mobile applications, sharing the same REST backend

Identifying threats – what can go wrong?

  • STRIDE introduction
  • Spoofing threats
  • Tampering threats
  • Repudiation threats
  • Information disclosure threats
  • Denial of service threats
  • Elevation of privilege threats
  • Attack trees
  • Attack libraries
  • Hands-on: STRIDE analysis of an Internet of Things (IoT) deployment with an on premise gateway and secure update service

Addressing each threat

  • Mitigation patterns
  • Authentication: mitigating spoofing
  • Integrity: mitigating tampering
  • Non-repudiation: mitigating repudiation
  • Confidentiality: mitigating information disclosure
  • Availability: mitigating denial of service
  • Authorization: mitigating elevation of privilege
  • Specialist mitigations
  • Hands-on: threat mitigations OAuth scenarios for web and mobile applications

Privacy threat modeling

  • GDPR
  • Privacy by design
  • Privacy impact assessment (PIA)
  • Privacy threats
  • LINDUNN
  • Mitigating privacy threats
  • Hands-on: privacy threat modeling of a face recognition system in an airport

Advanced threat modeling

  • Typical steps and variations
  • Validation threat models
  • Effective threat model workshops
  • Communicating threat models
  • Updating threat models
  • Threat models examples: automotive, industrial control systems, IoT and Cloud

Threat modeling resources

  • Open-Source tools
  • Commercial tools
  • General tools
  • Threat modeling tools compared

Examination

  • Hands-on examination
  • Grading and certification

The student Package

The course students receive the following package as part of the course:

  • Hand-outs of the presentations
  • Work sheets of the use cases,
  • Detailed solution descriptions of the use cases
  • Template to document a threat model
  • Template to calculate risk levels of identified threats
  • Receive certificate: Following a successful exam (passing grade defined at 70%) the student will receive certification for successful completion of course

2.4 Threat modeling – real world use cases

As highly skilled professionals with years of experience under our belts we know that there is a gap between academic knowledge of threat modeling and the real world.

In order to minimize that gap we have developed practical Use Cases, based on real world projects. Each use case includes a description of the environment, together with questions and templates to build a threat model. Using this methodology for the hands-on workshops we provide our students with a robust training experience and the templates to incorporate threat modeling best practices in their daily work.

The students will be challenged to perform the threat modeling in groups of 3 to 4 people performing the different stages of threat modeling on:

  • B2B web and mobile applications, sharing the same REST backend
  • An Internet of Things (IoT) deployment with an on-premise gateway and secure update service
  • OAuth scenarios for mobile and web applications
  • privacy impact assessment of a face recognition system in an airport

After each hands-on workshop, the results are discussed, and the students receive a documented solution.

The programme

Day 1 and 2Part
9:00 - 12:00Training part 1
12:00 - 13:00Lunch
13:00 - 17:00Training part 2
Cost€ 1450,-
LocationWill follow soon ( Amsterdam or Utrecht )

Experts/speakers

  1. Sebastiaan Deleersnyder IT-security specialist and Co-founder & CEO at Toreon

    Sebastien Deleersnyder led engagements in the domain of ICT-security, Web and Mobile Security with several customers in the private and public sector. 

    More about Sebastiaan Deleersnyder

    View on Linkedin

  2. Steven Wierckx Security Consultant at Toreon

    Steven Wierckx is a software and security tester with 15 years of experience in programming, security testing, source code review, test automation, functional and technical analysis, development, and ..

    More about Steven Wierckx

    View on Linkedin

  3. Thomas Heyman Senior Security Consultant at Toreon

    Thomas Heyman is an application security expert with 14 years of experience in both academia and industry. He has a PhD in secure software engineering, and has experience in threat modeling, secure ar..

    More about Thomas Heyman

    View on Linkedin