Nullcon Training event
We are looking forward to this, via @Nullcon
Event: Nullcon Online Training March - 2021
Dates: 01 to 04 March 2021
Timing: 10.00 AM to 2.00 PM IST
Overview
The learning path covers why we need to do security architectural and design analysis & threat modelling as part of our secure software development lifecycle. This is even more important today, with high-volume code turnarounds which can create a huge amount of system dependencies in a short period of time.
Course Content
Will start with the introduction to threat analysis using the attack kill-chain, defense-in-depth, and security framework integration (STRIDE, OWASP Top 10). There will be several small labs during the session. It will also cover the basics of a threat model exercise. we will explore the elements of a threat model and how to research & discover them.
We will understand:
- Security threat frameworks
- Attack Kill Chain
- Att&ck matrix (from Mitre)
- Defense-In-Depth model
- Open Systems Interconnectivity model (OSI)
- STRIDE
- OWASP Top 10 (OT10)
- Common Weakness Enumeration (CWE)
- Relations between threat frameworks
- Attack Kill Chain to STRIDE
- Attack Kill Chain to Att&ck
- Defense-In-Depth to OSI
- STRIDE to OT10
- Threat model elements
- How stakeholders link to assets and security risk
- How threats and threat agents link to vulnerabilities and mitigations
- How to quantify threat agents for critical software systems
And you’ll be able to:
- Use the threat frameworks to assess threats
- Use the relationship between frameworks to speed up threat discovery
- Use the relationship between frameworks to build faster mitigation plans
- Assess the danger of classes of threat agents
- Use different types of threat modeling based on time available and criticality
Then we will start by going over the approach to threat modeling in real-world scenarios. The Rapid Threat Model Prototyping (RTMP) methodology will then get introduced, framed by secure Agile Architecture practices. It will finish with a big lab that combines all the concepts from the start.
We will understand:
- Threat model steps
- When to do different types of threat models
- How to identify access control dangers in threat model data flows
- How Business strategies drive strategic architecture decisions
- Strategic and tactical Agile secure architecture principles/li>
- Rapid Threat Model Prototyping and how it works in DevOps
And you’ll be able to:
- Derive strategic secure architectural requirements from business requirements
- Integrate threat model steps into an Agile workflow
- Create good fidelity threat models faster and within Agile sprints
Who Should Attend
This training is for you because
- You’re an architect, developer, tester, security specialist
- You work with modern software development
- You want to become a security architect or SME
Prerequisites
- Technical knowledge with building software Recommended reading preparation
- Threat Modeling: Designing for Security By Adam Shostack
- https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998
- https://learning.oreilly.com/library/view/threat-modeling-designing/9781118810057/
- Developer-Enabled Threat Modeling By Izar Tarandach and Matthew J. Coles
- https://www.amazon.com/Threat-Modeling-Identification-Avoidance-Secure/dp/1492056553
- https://learning.oreilly.com/library/view/developer-enabled-threat-modeling/9781492056546
- GitHub “rapid-threat-model-prototyping-docs”
- https://github.com/geoffrey-hill-tutamantic/rapid-threat-model-prototyping-docs