O'Reilly logo
live online training icon Live Online training

Hands-on Threat Modeling

A crash course on whiteboard hacking

Sebastien Deleersnyder

Threat modeling (also known as architecture risk analysis) is the primary security analysis task performed during the software design stage. It is a structured activity for identifying and evaluating application threats and related design flaws. You use the identified flaws to adapt your design, or scope your security testing.

Threat modeling allows you to consider, identify, and discuss the security implications of user stories in a structured fashion, and in the context of their planned operational environment. This threat modeling crash course will teach you to perform threat modeling through a series of exercises, where our trainer will guide you through the different stages of a practical threat model based on a migration from a “classical” web application to a combination of AWS hosted microservices.

In this workshop you will learn an iterative and incremental threat modeling method that you can integrate in your development and deployment pipeline. This method allows you to consider security issues at your application and component levels.

Exercises are built upon a fictional Acme Hotel Booking (AHB) system, where we migrate a legacy client-server system towards a cloud based, micro service stack using AWS services.

What you'll learn-and how you can apply it

By the end of this live, hands-on, online course, you’ll understand:

  • Where threat modeling fits in a secure development lifecycle
  • The benefits of threat modeling
  • The different stages of threat modeling
  • The STRIDE model (spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege)
  • Secure design mitigations
  • Risk rating

And you’ll be able to:

  • Create and update your own threat models with an incremental technique
  • Identify design flaws in your software
  • Use threat modeling as an awareness tool for your team and stakeholders
  • Get your team on the same page with a shared vision on security

This training course is for you because...

  • You’re an application security champion, software architect or IT security specialist
  • You work with development and DevOps teams to increase software assurance and resilience
  • You want to become an application security expert

Prerequisites

  • Familiarity with core principles of software engineering, software security, microservices, cloud architectures and AWS.

Recommended preparation:

Recommended follow-up

About your instructor

  • Seba is co-founder and CEO of Toreon and is a proponent of application security as a holistic endeavor. He started the Belgian OWASP chapter, was a member of the OWASP Foundation Board and performed several public presentations on Application Security. Seba also co-organized the yearly security & hacker BruCON conference and trainings in Belgium.

    With a background in development and many years of experience in security, he has trained countless developers to create software more securely. He has led OWASP projects such as OWASP SAMM, thereby truly making the world a little bit safer. Now he is adapting application security models to the evolving field of DevOps and is also focused on bringing Threat Modeling to a wider audience. Seba has taught threat modeling (or “whiteboard hacking”) trainings at Black Hat, OWASP, BruCON and O’Reilly Velocity.

Schedule

The timeframes are only estimates and may vary according to how the class is progressing

Introduction to threat modeling (20 minutes)

  • Presentation: Threat modeling in a secure development lifecycle (5 minutes)
  • Presentation: Threat modeling stages (10 minutes)
  • Q&A (5 minutes)

Diagrams – what are you building? (40 minutes)

  • Presentation: Data flow diagrams (15 minutes)
  • Presentation: Trust boundaries (10 minutes)
  • Exercise: Diagram the AHB applications, sharing the same REST backend (15 minutes)
  • Q&A (5 minutes)

Break (5 minutes)

Identifying threats – what can go wrong? (40 minutes)

  • Presentation: STRIDE (15 minutes)
  • Presentation: Threat tables (10 minutes)
  • Exercise: Threat identification, migrating the AHB applications to AWS. (15 minutes)
  • Q&A (5 minutes)

Break (5 minutes)

Addressing each threat (40 minutes)

  • Presentation: Mitigation patterns, with AWS examples (10 minutes)
  • Presentation: OWASP risk rating (10 minutes)
  • Exercise: AHB threat mitigation of microservices and S3 buckets (15 minutes)
  • Q&A (5 minutes)

Practical threat modeling (20 minutes)

  • Presentation: The do's and don'ts for practical threat modeling (5 minutes)
  • Exercise: Threats & mitigations for the AHB CI/CD pipeline (10 minutes)
  • Q&A (5 minutes)