orangecon

CFP Now Open!

T4: agile whiteboard hacking

Training Details

2-DAY TRAINING, 3-4 SEPTEMBER @ MEERVAART AMSTERDAM
TICKET PRICE: €1500 EX BTW


We levelled up the threat modeling war game. Engaged in CTF-style challenges, your team will battle for control over an offshore wind turbine park.

The level of this training is Beginner/Intermediate. Participants who are new to threat modeling are advised to follow our self-paced Threat Modeling Introduction training (which is about 2 hours and is included in this training).

As highly skilled professionals with years of experience under our belts, we're intimately familiar with the gap between academic knowledge of threat modeling and real-world practice. To minimize that gap, we have developed practical use cases, based on real-world projects. Each use case includes a description of the environment, together with questions and templates to build a threat model.

Students will be challenged in groups of 3 to 4 people to perform the different stages of threat modeling:

  • Diagram techniques applied on a travel booking service
  • Threat model a cloud-based update service for an IoT kiosk
  • Create an attack tree against a nuclear research facility
  • Create a SOC Risk Based Alerting system with MITRE ATT&CK
  • Mitigate threats in a payment service build with microservices and S3 buckets
  • Threat modeling a Machine Learning-Powered Chatbot
  • Apply the OWASP Threat Modeling Playbook on agile development
  • Threat modeling the CI/CD pipeline
  • Battle for control over "Zwarte Wind", an offshore wind turbine park

After each hands-on exercise, the results are discussed, and students receive a documented solution.

As part of this training, you will be asked to create and submit your own threat model, on which you will get individual feedback.

All participants get our Threat Modeling Playbook to improve you threat modeling practice, one-year access to our online threat modeling learning platform, and one-hour personal coaching to refine your threat modeling.

Course Outline

Threat modeling introduction

  • Threat modeling in a secure development lifecycle
  • What is threat modeling?
  • Why perform threat modeling?
  • Threat modeling stages
  • Different threat modeling methodologies
  • Document a threat model

Diagrams – what are you building?

  • Understanding context
  • Doomsday scenarios
  • Data flow diagrams
  • Trust boundaries
  • Sequence and state diagrams
  • Advanced diagrams
  • Hands-on: Diagram techniques applied on a travel booking service
  • Document a threat model

Identifying threats – what can go wrong?

  • STRIDE introduction
  • STRIDE threats
  • Hands-on: Threat model a cloud-based update service for an IoT kiosk
  • Attack trees
  • Hands-on: Create an attack tree against a nuclear research facility
  • Attack libraries
  • MITRE ATT&CK
  • Hands-on: Create a SOC Risk Based Alerting system with MITRE ATT&CK

Addressing each threat

  • How to address threats
  • Mitigation patterns
  • Value of standard mitigations
  • Setting priorities through risk calculation
  • Risk management
  • Threat agents
  • he mitigation process
  • Hands-on: Mitigate threats in a payment service build with microservices and S3 buckets

Threat modeling, compliance and machine learning

  • How to marry threat modeling with compliance
  • GDPR and Privacy by design
  • Privacy threats
  • LINDUNN and Mitigating privacy threats
  • Threat modeling medical devices
  • Threat modeling Industrial Control Systems (IEC 62443)
  • Threat Assessment and Remediation Analysis for automotive (TARA, SAE 21434)
  • Mapping threat modeling on compliance frameworks
  • AI related threats and countermeasures
  • Hands-on: Threat modeling a Machine Learning-Powered Chatbot

Advanced threat modeling

  • Typical steps and variations
  • Validation threat models
  • Effective threat model workshops
  • Communicating threat models
  • Agile and DevOps threat modeling
  • Improving your practice with the Threat Modeling Playbook
  • Scaling up threat modeling
  • Hands-on: Apply the OWASP Threat Modeling Playbook on agile development
  • Hands-on: Threat modeling the CI/CD pipeline

Threat modeling resources

  • Open-Source tools
  • Commercial tools
  • General tools
  • Threat modeling tools compared

Examination

  • Hands-on examination
  • Grading and certification

Battle for control over "Zwarte Wind", an offshore wind turbine park

Red team versus Blue team battle for control over an offshore wind turbine park

Review session (online session after 1 month)

  • Hand-in of your own threat model
  • Individual feedback on your threat model
  • Review session

Hardware Requirements

Bring your own tablet or laptop to get access to our learning platform with all the handouts and solutions.

Software Requirements

Your brain :-)

GET YOUR TICKET NOW
GET YOUR TICKET NOW

SEBASTIEN DELEERSNYDER

CTO and Co-Founder - Toreon


Sebastien Deleersnyder, also known as Seba, is a highly accomplished individual in the field of cybersecurity. He is the CTO and co-founder of Toreon, as well as the COO and lead threat modeling trainer of Data Protection Institute. Seba holds a Master's degree in Software Engineering from the University of Ghent, and has extensive experience in the development and training of secure software. He is the founder of the Belgian chapter of OWASP and a former member of the OWASP Foundation Board.

In 2022, Seba was honored as the Cyber Security Personality of the Year by the Cyber Security Coalition in Belgium, where he currently serves as the chair of the new AppSec focus group. Through his leadership on OWASP projects such as OWASP SAMM, Seba has made a significant impact in improving global security. He is currently focused on adapting application security models to the evolving landscape of DevOps and raising awareness of the importance of threat modeling among a wider audience.