Threat Modeling Basics

Whether a historically grown monolith or the latest application with MACH architecture, all applications are exposed to individual threats specific to them. This means that there can be no standard source or reference list that describes relevant threat scenarios to the team. Instead, the team must address its own security posture at two different levels: Threats detected at the conceptual level affect the architecture and design of the application, while threats at the implementation level originate in the code.

Threat Modeling describes a regular process to identify threats on the conceptual level and to gather evidence for those on the implementation level.

This seminar focuses on different methods of threat modeling. Classics such as Microsoft’s STRIDE approach will be evaluated alongside lesser known methods such as PASTA and Attack Trees. The main features are illustrated by means of a typical example application, which is based on architectures regularly encountered in everyday consulting work. Experiences regarding zero-trust or serverless architectures will be shared and compared to on-premises trust-boundary scenarios.

In addition to the methods, experiences with relevant threat modeling tools such as OWASP Threat Dragon and Microsoft Threat Modeling Tool are presented. Advice is given on integrating threat modeling into development processes.

Learning Objectives

After the seminar the participants will be able to

  • create a basic threat model of an application they are familiar with and
  • assess the value and limitations of threat models.

Target audience

  • Decision makers
  • Project managers
  • Software architect
  • Software developer
  • Security Officers

Duration

2 hours to one day

Prerequisites

none

Trainer

Dr. Bastian Braun
Security consultant in many software projects
Björn Kirschner
Experienced penetration tester and IT security consultant
Dr. Benjamin Kellermann
Experienced penetration tester and IT security consultant

Our training courses are aimed at companies and organisations. A training course can be economical with just three or more participants. The trainings take place at your premises or is organised by us in your desired environment.

Ihr Ansprechpartner:

Dr.-Ing. Benjamin Kellermann

Nehmen Sie Kontakt per Email auf.
Oder rufen Sie uns an oder nutzen Sie unser Kontaktformular.