Whiteboard Hacking aka Hands-on Threat Modeling

Toreon | July 22-23 & July 24-25



Overview

Threat Modeling – Real Life Use Cases

As highly skilled professionals with years of experience under our belts we know that there is a gap between academic knowledge of threat modeling and the real world.

In order to minimize that gap we have developed practical Use Cases, based on real life projects. Each use case includes a description of the environment, together with questions and templates to build a threat model. Using this methodology for the hands on workshops we provide our students with a robust training experience and the templates to incorporate threat modeling best practices in their daily work.

The students will be challenged to perform the threat modeling in groups of 3 to 4 people performing the different stages of threat modeling on the following. After each hands-on workshop, the results are discussed, and the students receive a documented solution.:
  • • B2B web and mobile applications, sharing the same REST backend
  • • An Internet of Things (IoT) deployment with an on premise gateway and secure update service
  • • OAuth scenarios for mobile and web applications


Course topics:

Threat modeling introduction
  • Threat modeling in a secure development lifecycle
  • What is threat modeling
  • Why threat modeling?
  • Threat modeling stages
  • Diagrams
  • Identify threats
  • Addressing threats
  • Document a threat model

Diagrams – what are you building?
  • Understanding context
  • Doomsday scenarios
  • Data flow diagrams
  • Trust Boundaries
Hands-on: diagram B2B web and mobile applications, sharing the same REST backend

Identifying threats – what can go wrong?
  • STRIDE introduction
  • Spoofing threats
  • Tampering threats
  • Repudiation threats
  • Information disclosure threats
  • Denial of service threats
  • Elevation of privilege threats
  • Privacy threats
  • Attack trees
Hands-on: STRIDE analysis of an Internet of Things (IoT) deployment with an on premise gateway and secure update service

Addressing each threat
  • Mitigation patterns
  • Authentication: mitigating spoofing
  • Integrity: mitigating tampering
  • Non-repudiation: mitigating repudiation
  • Confidentiality: mitigating information disclosure
  • Availability: mitigating denial of service
  • Authorization: mitigating elevation of privilege
  • Mitigating privacy threats
Hands-on: Threat mitigations OAuth scenarios for web and mobile applications

Practical threat modeling
  • Strategies for risk management
  • Selecting mitigations
  • Threat ranking
  • Risk acceptance
  • Validating threat mitigations

Threat modeling tools
  • General tools
  • Open-Source tools
  • Commercial tools

Attack libraries
  • Libraries and checklists
  • CAPEC
  • OWASP Top 10
  • Building your own library

Examination
  • Hands-on examination
  • Grading and certification


Student package:

The course students receive the following package as part of the course:
  • Each student will receive a hard copy of the book: Threat Modeling, designing for security by Adam Shostack (2014, Wiley)
  • Hand-outs of the presentations
  • Work sheets of the use cases,
  • Detailed solution descriptions of the use cases
  • Template to document a threat model
  • Template to calculate risk levels of identified threats
  • Receive certificate: Following a successful exam (passing grade defined at 70%) the student will receive certification for successful completion of course

Who Should Take this Course

This course is aimed at software developers, architects, system managers or security professionals.

Student Requirements

Before attending this course, students should be familiar with basic knowledge of web and mobile Applications, databases & SSO principles.

What Students Should Bring

The students should bring their own laptop to the course.

What Students Will Be Provided With

The course students receive the following package as part of the course:
  • Each student will receive a hard copy of the book: Threat Modeling, designing for security by Adam Shostack (2014, Wiley)
  • Hand-outs of the presentations
  • Case worksheets and detailed solution descriptions
  • Template to document a threat model
  • Template to calculate risk levels of identified threats
  • Receive certificate: Following a successful exam (passing grade defined at 70%) the student will receive certification for successful completion of course

Trainers

Sebastien Deleersnyder will share his practical threat modeling experience. He specializes in Application Security, combining both his software development and information security experience. Sebastien has led engagements in the domain of ICT-security, Web and Mobile Security with several customers including BNP Paribas Fortis, Atos Worldline, KBC, Nationale Nederlanden (ING), Isabel, Fluxys, OLAF, EU Council, TNT Post , Flemish Community, Agfa-Gevaert and ING Insurance International. In the last 15 years he has performed several successful secure development lifecycle projects in the financial and utility sector, started up software security groups, supported customers in selecting and implementing Web Application Firewalls (WAF), delivered web application security training and closed a lot of audit findings regarding application security :-). Sebastien started the Belgian OWASP Chapter Leader, was a member of the OWASP Foundation Board and performed several public presentations on Web Application and Web Services Security. He also co-founded the yearly security & hacker BruCON conference and trainings in Belgium. Sebastien has achieved CISSP, CISM, CISA and Prince2 Practitioners certifications. Specialties: Application Security, Secure Development Lifecycle, ICT security product management, Business Development and Security Project Management