Infosec In the City (IIC)
#IICSG2019 Training — Building Secure Systems with Threat Modelling
by Avi Douglen, Bounce Security
You've decided that your products require a higher level of security, and now you need to start introducing security into your software design activities. But your team is focused on quick delivery, neglecting any discussion around quality or security. It can be hard to get developers and product managers to take security seriously... Threat modelling is one of the most effective security activities that can be performed whilst building a software application.
Threat modelling, a structured methodology for security-based analysis of a complex system, can help you identify and prioritise potential threats and attack vectors, and understanding the appropriate mitigations. A good threat model is essential for a robust, secure design and architecture, and can support mitigation of all relevant threats. This can also build customer confidence.
As the security team, you want to ensure your product teams are building systems based on a secure design. You want your developer teams to implement security features in their products. With training and some tangible experience, you will be able to create the threat models for your applications, and provide your teams with the artefacts they need to implement a secure design. You can even enable your developers to design a more secure architecture, easing the load off the security team and creating deeper integration and a higher level of security than enforcing it externally.
Date: 17-18 Jun 2019
Venue: Sands Expo & Convention Centre, Marina Bay Sands
Super Early Bird (Sign up by 31 Mar 2019): $3,000 SGD
Early Bird (Sign up by 30 Apr 2019): $3,300 SGD
Standard (Sign up by 31 May 2019): $3,600 SGD
Late: $3,900 SGD
We offer our Threat Modelling Workshop service to kickstart your security design efforts, teach your developers the skills required to build their own threat models for your products, and train with hands-on experience so that you are confident to continue to design secure products using threat modelling.
This interactive Workshop will consist of a series of informational classes, presenting the methodology and techniques in an educational format. This will largely be based on methodologies such as STRIDE-per-element, attack trees, and my own "Value Driven" approach for integrating lightweight threat modelling into an agile development workflow.
In between the classes, we will shift to hands-on, collaborative working sessions, wherein we will apply each of the techniques discussed. Eventually, we will go through the whole threat modelling process for a selection of features or use cases, for a sample application with modern architecture. Depending on the size of the audience, we will also break into smaller working groups.
I will facilitate these sessions, with the attendees all actively taking part in the modelling activity. We will rotate through a variety of approaches and techniques, with an open dialogue around the models to evoke insight and learn how to examine our assumptions.
Participants will take turns leading parts of the session under my guidance, with hands-on creation of different types of diagrams and other artefacts. Participants will also gain experience with a range of formal v. lightweight approaches, enabling them to select the most appropriate trade-off between depth and agility for each situation.
The course will cover the following topics, combined with both group exercises and hands-on challenges. Practice scenarios will be provided, based on real life systems, for which students will build threat models.
Day 1: Fundamentals and Threats
Overview — The course will start with explaining the concept of Threat Modelling in general, as well as defining goals — and non-goals — for a successful threat modelling practice. We will also cover "meta" topics like applicability, constraints, and output.
Modelling Basics — This will cover the basic tools, diagrams (e.g. DFDs), concepts, and different approaches to threat modelling.
Building Blocks — A common framework for building a threat modelling process, with replaceable modules.
Application Decomposition — How to diagram a system and dig into the correct details to flesh out the system's story. We will examine several scenarios.
STRIDE and Other Models — Some illustrative examples of the STRIDE classification framework, as well as alternative models for specific use cases.
Threat Identification — We will practice applying STRIDE by element for each of the scenarios.
Risk Rating — This shows different ways to understand the risk level per threat, and apply to those we have found (e.g. OWASP Risk Rating, CWSS, etc.).
Day 2: Mitigation and Agile
Countermeasures — Based on the previous analysed scenarios, the group will define countermeasures for each threat. We will discuss benefits, drawbacks, and alternatives.
Retrospective — Here we will take a look at the models we have completed, and analyse them for shortcomings.
Agile Integration — As an alternative to a full-size STRIDE matrix, we will see various options for lightweight threat models, as well as their constraints, and how to integrate with an agile development process. We will practice expanding user stories for our scenarios, and creating several new ones.
Full Process — As a culmination of all the techniques that were described during the course, students will be challenged to complete a full threat model for a (small) system, based on the different stages of threat modelling.
Extra — Depending on how fast the core modules and exercises are completed, some extras can be covered, e.g. optional tools, alternative methodologies, and additional practice scenarios.
Upon completion of training, attendees will know:
What is threat modelling, and why they need it.
How to build a threat model for an application.
Strategy to integrate a threat modelling process in their own agile development workflow.
PREREQUISITES FOR ATTENDEES
Some familiarity with development of a modern web-based application. Some coding experience (any modern language) preferred but not required.
ATTENDEES WILL BE PROVIDED WITH
ABOUT THE TRAINER & WHY AVI DOUGLEN IS THE BEST CHOICE
AVI DOUGLEN is a high-end, independent security architect and developer, with decades of experience implementing security requirements and protecting complex systems. He has been designing, developing, and testing secure applications for over 20 years, and is obsessed with maximising value output from security efforts, since originally building threat models at Microsoft over a dozen years ago.
At Bounce Security, we support organisations of all sizes in integrating security methodologies and products into their development processes, often providing training on secure coding and other security topics. We utilise various methodologies as circumstances demand, and adjust accordingly. Recently, our relentless drive to optimise security investment and threat modelling in particular, has led us to adapt the classic threat modelling methodology to a more agile workflow in order to empower developers and agile R&D teams.
Mr. Douglen is a frequent trainer and speaker at industry conferences, such as OWASP, RSA Conference, BSides, and DevSecCon, as well as developer conferences such as DevOpsDays and PyCon. He has trained hundreds of developers on security, including secure coding, security architecture, threat modelling, and more.
Avi also co-founded the OWASP Threat Modelling project, and is one of the project leaders. He also leads the OWASP Israel Chapter, and is the Conference Chair of Global AppSec Tel Aviv. He volunteers as a high school tech teacher and mentor, and is also a community moderator on https://Security.StackExchange.com/.