Training Class: Threat Modelling: From None to Done - John DiLeo
Details
The OWASP New Zealand Chapter is pleased to present our annual Training Days event. This year, we are offering classes in two cities - Auckland and Wellington, on different Saturdays in October.
In Wellington, we are offering a class on Saturday, 24 October:
Threat Modelling: From None to Done - John DiLeo
Registration check-in will open at 8:00 a.m., and classes will run from 8:45 a.m. to 5:30 p.m., with breaks for lunch and morning and afternoon tea.
Registration is NZ $195.00 (plus EventBrite fees).
Rather than registering here on meetup, please hop over to Event Brite and register for a ticket there:
A special thank-you to Red Shield for providing the classroom space, and to Kirk Jackson for serving as our event host for the day.
Registration closes on Thursday, 22 October.
Threat Modelling: From None to Done
John DiLeo
Training Abstract:
This session offers participants an interactive introduction to Threat Modelling, based on the instructor's learning and experience over the past several years. A primary focus of this course is the introduction of threat modelling activities into your organisation's software development processes, to improve the overall quality and security of the applications you build.
As a recent "convert" to the application security world, your instructor has developed his "expertise" in threat modelling by gathering information from a variety of sources. He's combined those learnings with his own experience to create a practical threat modelling approach he has successfully applied within his professional roles.
In addition to addressing key questions around the "Five Ws," the presentation will cover the "Four Questions" approach to developing a model, and include several interactive exercises to provide direct experience. A brief review of available modelling tools will also be included, along with an approach to introducing Threat Modelling into your SDLC.
Objectives:
In this course, attendees can expect to:
Gain a better understanding of the motivations for, and benefits of, threat modelling
Learn the process for building a threat model, using the "four questions" approach
Learn how to introduce threat modelling into existing organisations, and development projects working with "legacy" applications
Learn about available tools for creating and managing threat models
Learn about integrating threat modelling into the software development lifecycle
Topic Outline:
Introduction - Overview, and Initial Modelling Exercise
The Five Ws of Threat Modelling
Our Modelling Approach - Shostack's Four Questions
Identifying the Scope
Identifying Threats
Risk Management Overview
Identifying Mitigations
Selecting Mitigations
Verification and Validation
Getting Started - Incremental Threat Modelling
Tools for Creating Threat Models
Integration with the SDLC
About John
John is an active member and leader of several OWASP projects and global committees, including as co-leader of the OWASP Application Security Curriculum Project. He also serves as a co-leader of the OWASP New Zealand Chapter.
In his day job, John serves as an internal application security consultant at Air New Zealand.
Twitter: @gr4ybeard
Training Class: Threat Modelling: From None to Done - John DiLeo