This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP NZ Day 2019-Training-Threat Modelling From None to Done"
John dileo (talk | contribs) (fixed typo) |
John dileo (talk | contribs) (Added resource links) |
||
| Line 54: | Line 54: | ||
'''Skill Level:''' Basic - All levels are welcome, no prior threat modelling or software development experience is assumed. | '''Skill Level:''' Basic - All levels are welcome, no prior threat modelling or software development experience is assumed. | ||
| − | '''Required Materials:''' | + | '''Required Materials:''' A laptop computer is not required for this class. If you wish, you can bring a laptop; power should be available, and WiFi access will be provided. For non-Windows computers, if you would like to install and use the Microsoft Threat Modeling Tool, a virtualisation tool (e.g., Virtual Box) and a Windows virtual machine will be needed. |
| − | '''Materials Provided:''' Each attendee will receive a copy of Adam Shostack's book ''Threat Modeling: Designing for Security,'' a deck of ''Elevation of Privilege'' cards, and other | + | '''Materials Provided:''' Each attendee will receive a copy of Adam Shostack's book ''Threat Modeling: Designing for Security,'' a deck of ''Elevation of Privilege'' cards, and other printed resources |
'''Instructor:''' Dr. John DiLeo | '''Instructor:''' Dr. John DiLeo | ||
'''Instructor's Organisation:''' OWASP New Zealand Chapter | '''Instructor's Organisation:''' OWASP New Zealand Chapter | ||
| + | |||
| + | == Supporting Materials == | ||
| + | |||
| + | * [[Media:Slide Deck - Threat Modelling.pdf|Slide Deck (PDF, 4.1 MB)]] | ||
| + | * Presentation Slides: [http://i.blackhat.com/us-18/Wed-August-8/us-18-Shostack-Threat-Modeling-in-2018.pdf Adam Shostack - Threat Modeling in 2018] (PDF, adam.shostack.org) | ||
| + | * Presentation by Irene Michlin at AppSec EU 2017 - Incremental Threat Modeling [https://www.youtube.com/watch?v=WePVoeYrhpg Video (YouTube)], [https://2017.appsec.eu/presos/CISO/Incremental%20Threat%20Modelling%20-%20Irene%20Michlin%20-%20OWASP_AppSec-Eu_2017.pdf Slide Deck (PDF)] | ||
| + | * Presentation at AppSec EU 2009 - [https://www.owasp.org/images/7/79/AppSecEU09_OWASP_EU_Threat_Modeling.ppt What Is Threat Modeling?] (PPT) | ||
| + | * Presentation at AppSec EU 2009 - [https://www.owasp.org/images/7/79/AppSecEU09_OWASP_EU_Threat_Modeling.ppt Advanced Threat Modeling] (PPT)* Software Engineering Institute White Paper - [https://resources.sei.cmu.edu/asset_files/WhitePaper/2018_019_001_524597.pdf Threat Modeling: A Summary of Available Methods] (PDF) | ||
| + | * RSA 2017 Conference Learning Lab - [https://www.rsaconference.com/writable/presentations/file_upload/lab3-w04_threat-modeling-demystified.pdf Threat Modeling Demystified] (PDF) | ||
| + | * SAFECode White Paper - [https://safecode.org/safecodepublications/tactical-threat-modeling/ Tactical Threat Modeling] (PDF) | ||
| + | * [[Media:STRIDE Reference Sheets.pdf|STRIDE Reference Sheets (PDF, 112 kB)]], excerpted from Shostack text | ||
| + | * [[Media:Threat Modelling - STRIDE Cards - TW Branded.pdf|STRIDE Reference Cards (PDF, 5.0 MB)]], produced and branded by ThoughtWorks | ||
| + | * [https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2A3xt Microsoft Bug Bar Example] (PDF) | ||
| + | * [https://www.microsoft.com/en-us/securityengineering/sdl/ Microsoft's SDL Resource Site] | ||
| + | * [https://www.microsoft.com/en-nz/download/details.aspx?id=20303 Download Page] for <i>Elevation of Privilege</i> Card Decks | ||
| + | * OWASP Resource Sites: | ||
| + | ** [[OWASP Threat Model Project|Threat Model Project Home Page]] | ||
| + | ** [https://www.owasp.org/index.php/Category:Threat_Modeling Threat Modelling Category Page] | ||
| + | ** [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Threat_Modeling_Cheat_Sheet.md OWASP Threat Modeling Cheat Sheet] (MarkDown, on GitHub) | ||
== Your Instructor == | == Your Instructor == | ||
'''Dr. John DiLeo''' - John is the Auckland-area leader of the OWASP New Zealand Chapter, and is employed as the Application Security Architect at Orion Health, a global company specialising in health information software. In his current role, he is responsible for developing and managing the enterprise's software assurance progamme, with emphasis on governance, secure development practices, and security training. Before specialising in application security, John was active as a Java enterprise architect and Web application developer (mostly Java EE and LAMP). In an earlier life, John had specialised in developing discrete-event simulations of large distributed systems, in a variety of languages - including the Java-based language (FreeSML) he developed as part of his doctoral research. John is also a member of the core team for the OWASP Software Assurance Maturity Model (SAMM) Project, and of the OWASP Application Security Curriculum Project. | '''Dr. John DiLeo''' - John is the Auckland-area leader of the OWASP New Zealand Chapter, and is employed as the Application Security Architect at Orion Health, a global company specialising in health information software. In his current role, he is responsible for developing and managing the enterprise's software assurance progamme, with emphasis on governance, secure development practices, and security training. Before specialising in application security, John was active as a Java enterprise architect and Web application developer (mostly Java EE and LAMP). In an earlier life, John had specialised in developing discrete-event simulations of large distributed systems, in a variety of languages - including the Java-based language (FreeSML) he developed as part of his doctoral research. John is also a member of the core team for the OWASP Software Assurance Maturity Model (SAMM) Project, and of the OWASP Application Security Curriculum Project. | ||
Latest revision as of 01:34, 28 February 2019
Threat Modelling: Getting from None to Done
Interactive Training -- OWASP New Zealand Day-2019
This session offers participants an interactive introduction to Threat Modelling, based on the instructor's learning and experience over the past several years. A primary focus of this course is the introduction of threat modelling activities into your organisation's software development processes, to improve the overall quality and security of the applications we build.
As a recent "convert" to the application security world, your instructor is more or less a "journeyman" in the area of threat modelling, and has been gathering information from a variety of sources to come up with a practical approach to threat modelling in his organisation.
In addition to addressing key questions around the "Five Ws," the presentation will cover the "Four Questions" approach to developing a model, and include several interactive exercises to provide direct experience. Brief introductions to available modelling tools will also be included.
Learning Objectives
In this course, attendees can expect to:
- Gain a better understanding of the motivations for, and benefits of, threat modelling
- Learn the process for building a threat model, using the "four questions" approach
- Learn how to introduce threat modelling into existing organisations, and development projects working with "legacy" applications
- Learn the basics of using available tools to create and manage a threat model
- Learn about integrating threat modelling into the software development lifecycle
Course Topics
The proposed outline for this course is as follows:
- Introduction - Overview, and Initial Modelling Exercise
- The Five Ws of Threat Modelling
- Modelling Approach - The Four Questions
- Case Study
- Threat Actor Personas
- Using Modelling Tools
- Microsoft Threat Modeling Tool
- OWASP Threat Dragon
- Drawing Tools and Templates
- Incremental Threat Modelling
- Integration with the SDLC
- Phase-based approaches ("waterfall")
- Sprint-based approaches ("agile")
Course Details
Date: Thursday, 21 February 2019
Time: 8:45 a.m. to 5:30 pm.
Course Fee: $500.00 (NZD)
Registration Site: https://owaspnz2019-training.eventbrite.com
Location: University of Auckland School of Business, 12 Grafton Road, Auckland - Lower Level
Target Audience: Web Developers, Software Engineers, Application Security Professionals
Skill Level: Basic - All levels are welcome, no prior threat modelling or software development experience is assumed.
Required Materials: A laptop computer is not required for this class. If you wish, you can bring a laptop; power should be available, and WiFi access will be provided. For non-Windows computers, if you would like to install and use the Microsoft Threat Modeling Tool, a virtualisation tool (e.g., Virtual Box) and a Windows virtual machine will be needed.
Materials Provided: Each attendee will receive a copy of Adam Shostack's book Threat Modeling: Designing for Security, a deck of Elevation of Privilege cards, and other printed resources
Instructor: Dr. John DiLeo
Instructor's Organisation: OWASP New Zealand Chapter
Supporting Materials
- Slide Deck (PDF, 4.1 MB)
- Presentation Slides: Adam Shostack - Threat Modeling in 2018 (PDF, adam.shostack.org)
- Presentation by Irene Michlin at AppSec EU 2017 - Incremental Threat Modeling Video (YouTube), Slide Deck (PDF)
- Presentation at AppSec EU 2009 - What Is Threat Modeling? (PPT)
- Presentation at AppSec EU 2009 - Advanced Threat Modeling (PPT)* Software Engineering Institute White Paper - Threat Modeling: A Summary of Available Methods (PDF)
- RSA 2017 Conference Learning Lab - Threat Modeling Demystified (PDF)
- SAFECode White Paper - Tactical Threat Modeling (PDF)
- STRIDE Reference Sheets (PDF, 112 kB), excerpted from Shostack text
- STRIDE Reference Cards (PDF, 5.0 MB), produced and branded by ThoughtWorks
- Microsoft Bug Bar Example (PDF)
- Microsoft's SDL Resource Site
- Download Page for Elevation of Privilege Card Decks
- OWASP Resource Sites:
- Threat Model Project Home Page
- Threat Modelling Category Page
- OWASP Threat Modeling Cheat Sheet (MarkDown, on GitHub)
Your Instructor
Dr. John DiLeo - John is the Auckland-area leader of the OWASP New Zealand Chapter, and is employed as the Application Security Architect at Orion Health, a global company specialising in health information software. In his current role, he is responsible for developing and managing the enterprise's software assurance progamme, with emphasis on governance, secure development practices, and security training. Before specialising in application security, John was active as a Java enterprise architect and Web application developer (mostly Java EE and LAMP). In an earlier life, John had specialised in developing discrete-event simulations of large distributed systems, in a variety of languages - including the Java-based language (FreeSML) he developed as part of his doctoral research. John is also a member of the core team for the OWASP Software Assurance Maturity Model (SAMM) Project, and of the OWASP Application Security Curriculum Project.
