On This Page

Advanced Whiteboard Hacking - aka Hands-On Threat Modeling

Toreon | August 4-5 & August 6-7



Overview

Based on our successful trainings in the last years, we release this advanced threat modeling training in première at Black Hat USA 2018.
As highly skilled professionals with years of experience under our belts we know that there is a gap between academic knowledge of threat modeling and the real world.
In order to minimize that gap we have developed practical Use Cases, based on real life projects. Each use case includes a description of the environment, together with questions and templates to build a threat model. Using this methodology for the hands on workshops we provide our students with a robust training experience and the templates to incorporate threat modeling best practices in their daily work.

Students will be challenged to perform the threat modeling in groups of 3 to 4 people performing the different stages of threat modeling on the following:
  • B2B web and mobile applications, sharing the same REST backend
  • An Internet of Things (IoT) deployment with an on premise gateway and a cloud based update service
  • OAuth scenarios for an HR application
  • Privacy of a new face recognition system in an airport

After each hands-on workshop, the results are discussed, and students receive a documented solution. Each student will receive a hard copy of the book: Threat Modeling, designing for security by Adam Shostack (2014, Wiley)
Toreon provides the experienced trainer, Sebastien Deleersnyder to share his practical threat model experience. Sebastien led engagements in the domain of ICT-security, Web and Mobile Security with several customers in the private and public sector. Sebastien is the Belgian OWASP Chapter Leader, served as vice-chair of the global OWASP Foundation Board and performed several public presentations on Web Application, Mobile and Web Services Security. Furthermore, Sebastien co-founded the yearly BruCON conference.
Threat modeling is the primary security analysis task performed during the software design stage. Threat modeling is a structured activity for identifying and evaluating application threats and vulnerabilities. The security objectives, threats, and attacks modeling activities during the threat modeling are designed to help you find vulnerabilities in your application and the supporting architecture. You can use the identified vulnerabilities to help shape your design and direct and scope your security testing.
Threat modeling allows you to consider, document, and discuss the security implications of designs in the context of their planned operational environment and in a structured fashion. It also allows consideration of security issues at the component or application level. The threat modeling course will teach you to perform threat modeling through a series of workshops, where our trainer will guide you through the different stages of a practical threat model.
This course is aimed at software developers, architects, system managers or security professionals. Before attending this course, students should be familiar with basic threat modeling concepts, STRIDE, knowledge of web and mobile Applications and Single sign on (SSO) principles. The students should bring their own laptop to the course.

Who Should Take this Course

This course is aimed at software developers, architects, system managers or security professionals.

Student Requirements

Before attending this course, students should be familiar with basic threat modeling concepts, STRIDE, knowledge of web and mobile Applications and Single sign on (SSO) principles.

What Students Should Bring

The students should bring their own laptop to the course (to download and consult the course materials).

What Students Will Be Provided With

The course students receive the following package as part of the course:
  • Each student will receive a hard copy of the book: Threat Modeling, designing for security by Adam Shostack (2014, Wiley)
  • Hand-outs of the presentations
  • Work sheets of the use cases,
  • Detailed solution descriptions of the use cases
  • Template to document a threat model
  • Template to calculate risk levels of identified threats
  • Receive certificate: Following a successful exam (passing grade defined at 70%) the student will receive certification for successful completion of course

Trainers

Sebastien Deleersnyder will share his practical threat modeling experience. He specializes in Application Security, combining both his software development and information security experience. Sebastien has led engagements in the domain of ICT-security, Web and Mobile Security with several customers including BNP Paribas Fortis, Atos Worldline, KBC, Nationale Nederlanden (ING), Isabel, Fluxys, OLAF, EU Council, TNT Post , Flemish Community, Agfa-Gevaert and ING Insurance International. In the last 15 years he has performed several successful secure development lifecycle projects in the financial and utility sector, started up software security groups, supported customers in selecting and implementing Web Application Firewalls (WAF), delivered web application security training and closed a lot of audit findings regarding application security :-). Sebastien started the Belgian OWASP Chapter Leader, was a member of the OWASP Foundation Board and performed several public presentations on Web Application and Web Services Security. He also co-founded the yearly security & hacker BruCON conference and trainings in Belgium. Sebastien has achieved CISSP, CISM, CISA and Prince2 Practitioners certifications. Specialties: Application Security, Secure Development Lifecycle, ICT security product management, Business Development and Security Project Management

Steven Wierckx is a consultant at Toreon. A software and security tester with 15 years of experience in programming, security testing, source code review, test automation, functional and technical analysis, development, and database design, Steven shares his passion for web application security through writing and training on testing software for security problems, secure coding, security awareness, security testing, and threat modeling. He is the project leader for the OWASP Threat Modeling Project and organizes the BruCON student CTF. This year, he spoke at Hack in the Box Amsterdam, hosted a workshop at BruCON and delivered threat modeling trainings at OWASP AppSec USA and O'Reilly Security New York.