This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Learn More About the Threat Modeling and Architecture Review Class

Jump to: navigation, search

Abstract: Threat Modeling and Architecture Review are the cornerstones of a preventative approach to Application Security. By combining these topics into single comprehensive course attendees can get a complete understanding of how to understand the threat an application faces and how the application will handle those potential threats. This enables the risk to be accurately assessed and appropriate changes or mitigating controls recommended. From the course outline:

1. Overview

•Scope and problem definition

•High‐level view of the overall process

•Core techniques

2. Threat assessment and modeling

•Overall threat modeling process

•Preparation and background information

•Capturing business and security goals

•Identify vulnerabilities and other risks

•Establish weighting and prioritization of risks

•Guard against risks with compensating controls

•EXERCISE – Threat model a real‐life problem

3. Architecture review techniques



•EXERCISE – Apply the techniques from Authentication and Authorization

•Input validation

•Output encoding

•EXERCISE – Apply the techniques from Input Validation and Output Encoding

•Error handling

•Audit logging

•EXERCISE – Apply the techniques from Error Handling and Audit Logging


•Configuration management

•EXERCISE – Apply the techniques from Encryption and Configuration Management

4. Specifying security requirements

•Writing positive security requirements

•Deriving security requirements from functional requirements

•Thinking broadly about requirements coverage

•Balancing security requirements with functionality

Trainer Bio: Pravir Chandra is Director of Strategic Services at Fortify where he works with clients to build and optimize software security assurance programs. Pravir is widely recognized in the industry for his expertise in software security and code analysis, and also for his ability to apply technical knowledge strategically from a business perspective. His book, Network Security with OpenSSL is a popular reference on protecting software applications through cryptography and secure communications. His varied special project experience includes creating and leading the Open Software Assurance Maturity Model (OpenSAMM) project.