LIVE Instructor-Led Courses
Dismiss

Security & Threat Modelling training course

Appreciate Commercial Cyber Security Risks - Learn How To Best Tackle These In Line With OWASP Standards

JBI training course London UK

"Our tailored course provided a well rounded introduction and also covered some intermediate level topics that we needed to know. Clive gave us some best practice ideas and tips to take away. Fast paced but the instructor never lost any of the delegates"

Brian Leek, Data Analyst, May 2022

Public Courses

07/01/19 - 2 days
£1500 +VAT
18/02/19 - 2 days
£1500 +VAT
01/04/19 - 2 days
£1500 +VAT

Customised Courses

* Train a team
* Tailor content
* Flex dates
From £1200 / day
EDF logo Capita logo Sky logo NHS logo RBS logo BBC logo CISCO logo
JBI training course London UK

  • What should ‘Threat Modeling’ look like in an organisation like yours?
  • Who should be involved?
  • What should be the objectives?
  • How should it be organised?
  • When should it be done?
  • What are the most common threats and attack vectors that should be considered?
  • How do Threats evolve and change over time?

OVERVIEW

One of the first steps in an Application Security programme is to perform Threat Models (which are models of an Application’s security profile, with the objective of proactively exposing potential security design flaws and vulnerabilities ).

But what should ‘Threat Modeling’ look like in an organisation like yours? Who should be involved? What should be the objectives? How should it be organised? When should it be done? What are the most common threats and attack vectors that should be considered? How do Threats evolve and change over time?

This hands-on practical session is designed to answer those questions by performing multiple Threat Models on typical inhouse Applications, and enabling a discussion between participants on the best way to execute them.

It is key that all key players in an Application Development workflow know what questions to ask (or should be asked), and more importantly, what is the ‘mesurable difference’ between teams that have performed Threat Models vs teams that have pushed products/services into production without evaluating its security profile and risks

 

Threat Modelling – Getting Started

How to get started

Who should be involved?

  • An experienced threat modeler should guide the automated threat modeler software. An externally hired expert should oversee the first threat model process run for an organization.
  • The Subject Matters Experts on the application are: lead developers, application architects, DevOps experts, people who know the business.

Define an approach.

  • Many approaches exist, pick one. This can be done with an expert threat modeler or find an expert threat modeler to fit your chosen approach.

Define a proper scope: start small and encapsulated. Enumerate the components:

  • Client SW
  • Compiled binaries
  • Exposed API endpoints
  • Data stores
  • External content providers

Create a DFD or any diagram that shows the data flows

  • Data flows
  • Transport layer
  • Authentication
  • Add trust boundaries and/or “what if” scenarios

 

 

Threat Modelling – Cheat Sheet

This Working Session aims to produce an overview of how to integrate threat modelling into an Agile/DevOps/Continuous Integration (ADCI) process. Keep in mind that a proper lightweight process should be easily repeatable with few moving parts (ie. steps). It should be flexible enough to be used with various taxonomies and libraries. The focus of this session should be on creating that process. This process will be supported and complimented by prescriptive threat modeling guidance via the Threat Modeling Cheat Sheets being developed.

What

  • Define what components and steps are needed for a proper lightweight process. We should work on a definition (a “MVP” threat model) that does not include over-processing or over-variation. The process framework will drive the specific discussion points below.
  • Make the framework flexible enough to accept many different base artefacts (e.g. - RACI, DFDs, lists etc.) for ADCI environments.
  • Define and refine the “incremental threat modelling” concept to enable integration with ADCI iterational approaches.
  • Add steps describing how to start threat modelling on an existing project/codebase without the need to cover everything (similar to introducing tests to legacy software). Build on the “10,000 ft view” model of encapsulation.
  • Create a set of top-level application component patterns to speed up analysis. These asset libraries can be used to complement other libraries that may get plugged into the lightweight process. Keep this pattern library to a manageable set of elements (shoot for around 10).
  • Review threat model taxonomies (eg. CIA, STRIDE, CWE, CAPEC, etc.) and decide which one(s) fit best for a lightweight process.
  • Create an adaptable threat library based on current OWASP and MITRE content, and align this process with the lightweight taxonomy (or taxonomies). Keep this library to a manageable set of elements (shoot for around 10).
  • Define the schema definitions for a migitations/countermeasures/controls library, again keeping the definitions top-level and flexible to enable speedy use. These definitions should leverage other OWASP content (e.g. ASVS, cheat sheets, SKF mitigation guidance, etc.) Keep this library to a manageable set of elements (shoot for around 15).
  • Content from Cheat Sheets will parrallel efforts depicted by this lightweight threat modeling process.

Outcomes

  • Defined: Lightweight threat modelling process with artefacts for ADCI environments
  • Created: “How to” guide for ADCI environments
  • Created: application component patterns library
  • Created: adaptable threat library
  • Created: countermeasures library schema definition
  • Key process activities that tie to cheat sheet guidance

 

 

 

JBI training course London UK

Security minded Project and Product Managers

5 star

4.8 out of 5 average

"Our tailored course provided a well rounded introduction and also covered some intermediate level topics that we needed to know. Clive gave us some best practice ideas and tips to take away. Fast paced but the instructor never lost any of the delegates"

Brian Leek, Data Analyst, May 2022



“JBI  did a great job of customizing their syllabus to suit our business  needs and also bringing our team up to speed on the current best practices. Our teams varied widely in terms of experience and  the Instructor handled this particularly well - very impressive”

Brian F, Team Lead, RBS, Data Analysis Course, 20 April 2022

 

 

JBI training course London UK

Newsletter

 

Sign up for the JBI Training newsletter to stay updated with world-class technology training opportunities, including Analytics, AI, ML, DevOps, Web, Backend and Security. Our Power BI Training Course is especially popular.  Gain new skills, useful tips, and validate your expertise with an industry-leading organisation, all tailored to your schedule and learning preferences.



Our security and threat modelling training course is designed to answer those questions by performing multiple Threat Models on typical inhouse Applications, and enabling a discussion between participants on the best way to execute them. It is key that all key players in an Application Development workflow know what questions to ask (or should be asked), and more importantly, what is the ‘measurable difference’ between teams that have performed Threat Models vs teams that have pushed products/services into production without evaluating its security profile and risks

CONTACT
+44 (0)20 8446 7555

[email protected]

SHARE

 

Copyright © 2023 JBI Training. All Rights Reserved.
JB International Training Ltd  -  Company Registration Number: 08458005
Registered Address: Wohl Enterprise Hub, 2B Redbourne Avenue, London, N3 2BS

Modern Slavery Statement & Corporate Policies | Terms & Conditions | Contact Us

POPULAR

Rust training course                                                                          React training course

Threat modelling training course   Python for data analysts training course

Power BI training course                                   Machine Learning training course

Spring Boot Microservices training course              Terraform training course

Kubernetes training course                                                            C++ training course

Power Automate training course                               Clean Code training course