Threat Model Express
In this class students learn about the attacks that their applications may face and then an informal approach to threat modeling. They will first learn the steps in executing a Threat Model Express, and then they will engage in a fictional exercise with the instructor.
In this scenario, students perform all the activities of a threat model on a complex application - including analyzing design and role-playing interviews.
Students will understand how to implement a Threat Model Express in your organization using this model pioneered by Security Compass.
- Understand the benefits of a traditional threat model vs. a threat model express exercise
- Engage in asking valuable questions that will effectively identify potential threats within an application
- Learn who should be involved in a Threat Model Express exercise and how to apply the model within your organization
- Engage in a Threat Model Express exercise with the instructor using a sample architecture
- What is threat modeling
- Traditional vs. Express Threat Modeling
1. Goals of the Threat Model
- Identifying and determining goals
- Identifying the scope
2. Gathering Information
- What kinds of information to gather
- Sources to gather information from
- Finding more about the application
- Distilling an application
- Developing data flow diagrams
3. Interview with the Architect
- Asking the right questions
4. Meeting Setup
- Who to invite to the meeting
- Roles of the participants
5. Determining Threats
- Establishing Threats
- Attacker motivations
- Business Logic attacks
6. Determining Risk
- Factors of Impact
- Factors of Likelihood
- Establishing countermeasures
8. Interactive Class Exercise
- Taking a sample architecture to perform a Threat Model Express
- Determining Threats
- Determining Risks
- Identifying countermeasures
- Plotting risk and countermeasures
Security Compass training courses are offered using a variety of delivery methods. Download the data sheet to learn more.
Security Compass offers this course as a public class. Contact us for a schedule of all our upcoming public training classes.