This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Threat Modeling Express

Jump to: navigation, search


Registration | Hotel | Walter E. Washington Convention Center


Course Length: 1 Day

The benefits of threat modeling at the design stage are well-documented, yet few organizations are able to perform this analysis technique due to time constraints. Based on our experience in real world situations, Security Compass has developed a one day approach to threat modeling based loosely on a Facilitated Risk Assessment Process (FRAP).

In this class, students learn how to create a “quick and dirty” application threat model using an organization’s most valuable resource: its people. Students learn about the basics of web application security, as well as learn about and perform a real hands-on Express Threat Model. A deliverable template and list of steps will be provided as takeaways for students.

Student Requirements

This course will include hands-on exercises. Students are not required to bring their own laptops, a pen or pencil will suffice.


Skill: Intermediate, Basic

  • Learn application security basics
  • Be better equipped to make architecture and design decisions with security in mind
  • Be able to create an Express Threat Modeling in one day


Rohit Sethi, Director of Professional Services, Security Compass, is a specialist in threat modeling, application security reviews, and building security controls into the software development life cycle (SDLC). Mr. Sethi is a frequent guest speaker and instructor at several national conferences. He has written articles for Security Focus and the Web Application Security Consortium (WASC), and has been quoted as an expert in application security for ITWorldCanada and Computer World.

At Security Compass, Rohit teaches hundreds of students various topics on web application security in cities across North America. He has also managed and performed extensive threat analysis, source code reviews, and penetration testing for clients in financial services, utilities, telecommunications and healthcare. He is often consulted for his dual expertise in information security and software engineering.