OWASP AppSec DC 2012/Training/Pratical Threat Modeling

Description
Course Length: 1 Day

Threat modeling is gaining traction as a fundamental application security activity. In this class students learn about the attacks that their applications may face and then both formal and informal approaches to threat modeling. Using a fictional scenario, students perform all the activities of a threat model on a complex application ? including analyzing design documents and role-playing interviews. Students learn about the industry standard formal threat modeling process as well as Facilitated Application Threat Modeling: a 1-day approach to threat modeling pioneered by Security Compass. Students will also be taught about Security Compass?s unique source-code/design-pattern level threat modeling.

Student Requirements
Laptop Required: Students Need to Bring:

Objectives
Audience: Developers, architects, tech leads, information security analysts who perform application penetration testing and/or source code review Skill Level: Basic

Understand attacks that hackers use to break into web applications Create threat models for complex multi-tiered applications  Prioritize risk of attacks for an application based on potential threats  Apply security analysis to design and architecture of an application

Instructor
Krishna Raja is a Senior Security Consultant with an extensive background in Java EE application development. He has performed comprehensive security assessments for financial, government, and health care organizations across Canada and the United States. Mr. Raja has also driven the initiation of application security programs into the SDLC process of his clients. This involves the drafting of security requirements, threat modeling, creating secure coding guidelines and security test cases. Krishna has carried out the role of security advisor, security analyst, project manager and trainer. Krishna is instrumental in the development and delivery of Security Compass’ training curriculum. Krishna has developed and taught courses in Threat Modeling, Exploiting and Defending Web Applications, Building Secure Web Applications in Java EE, Advanced Application Attacks, and Application Security Awareness to architects, project managers and developers.