Threat Modelling
Learn how to think about security as part of agile development, and uncover security defects and requirements before they cost you time, money and feature velocity. Reduce friction by uncovering how to build a secure solution from the start, instead of needing to retroactively apply fixes and re-designs in the name of security later on.
Threat modelling is one of several activities that can be integrated into existing software development to identify and address security weaknesses early in development. It can reduce security debt by minimising defects that may show up later, and also help the whole development team become more aware of what types of security issues may turn up. The results of threat modelling can also help provide security awareness to management, making it clear what resources are needed to provide a secure and feature-rich solution to customers. Threat modelling takes an architectural view and encourages the team to think maliciously about their own solutions, increasing awareness and empowering development to make informed choices around security.
This course introduces students to the threat modelling process and how it can be applied in agile software development. With a process-agnostic approach, the course provides a methodology for addressing architectural security that can be adapted to your team’s development approach. The course is delivered in a workshop format, focusing on practical application of fundamental concepts.
Course Objectives:
- Map out an existing or as-planned system architecture
- Identify trust boundaries in your system
- Identify threats against the system
- Consider different approaches, e.g. asset-focused, attacker-focused and software-focused threat modelling
- Manage and mitigate threats in an actionable manner, ensuring design changes or other requirements make it into appropriate backlogs and defect management systems
- Apply the above to agile development
Audience:
- Developers
- Architects Testers / QA
- Product Owners
- Scrum Masters
- Security Leads
Prerequisites:
Although the course covers a number of technical topics at a high level, no specific security or architecture experience is required to attend. Experience working in teams to develop software solutions is highly recommended, including non-technical roles.
Course outline:
- Introduction
- Security fundamentals
- Designing for security
- What is threat modelling
- How to use threat modelling
- Methodologies
- Practical threat model exercise and walkthrough
- Making sure your threat model is valuable
- Making threat modelling a part of your development approach
About the author and instructor of the course
Nick acts as knowledge servant and facilitator for Miles' Agile Security practice. Nick has spent the past 15 years in security consulting roles in the US, the UK, and now Norway. He quickly discovered he had a passion for helping solve the security challenges developers face. He's been part of evaluating software security initiatives and building solutions for global organisations within the Finance, Technology, Automotive, and Telecoms industries. Nick holds a MSc in Information Security from Royal Holloway, University of London.