Back

Threat modeling training  

Threat modeling helps to take a wider perspective and understand cases in which you need to protect your essential assets. It is recommended to perform a threat modeling session not only before the start of security tests but also while considering new functionality for an existing application or before making any changes to your infrastructure.  

Asking “what could go wrong” early in the SDLC process makes it a lot easier to secure your resources in the first place. Let us share the best practices for implementing threat modeling in your organization.  

They’ve trusted us

Training objectives  

  1. Creating a solid basis to understand different threat modeling methodologies. 
  2. Getting to know a simplified threat modeling process using 3 key questions: What? Who? How? 
  3. Gaining practical experience with real-world examples. 
  4. Being able to perform threat modeling at scale and implement it in various test cases. 

No theory – just practical application 

We focus on the practical application of the acquired knowledge, therefore, during the workshops, you will discover exercises based on real-world examples. Each company is different, so we select example scenarios that may happen in your case. During this training, your team will be exposed to many new situations – in this way, we encourage you to think outside the box and understand the attacker’s perspective.  

Your team will confront a wide range of the most common attacks and vulnerabilities that we encounter in our daily work as security professionals. We will broaden your horizons about cybersecurity, but more importantly, we will focus on the appropriate evaluation and prioritization of the implemented security measures. 

While preparing such training, we do our best to understand your current situation and adjust to an optimal agenda.

Content and course of the training

Each training is custom-made and adjusted to your organization’s needs.

We make the training adjustable to your future projects so that you are able to make threat modeling sessions when you need them. No matter if it is an application, an infrastructure, or a business decision. 

To ensure this, we stick to the following framework of the course:

  1. Intruduction to threat modeling – during this stage, the participants will discover threats of designing applications and systems without security requirements and learn about pros and cons of Threat Modeling. They will also cover different approaches to Threat Modeling (Attack Tree, STRIDE, Who? What? How?). 
  2. Adding security to your SDLC – the participants will gain an understanding of how to implement Threat Modeling in your organization. They will explore the security stage in Agile and Scrum and Sprint methodology. The participants will learn how to model threats before and during the developers’ work on the project. Our specialists will also share what Threat Modeling brings to business.  
  3. Planning an effective session – this part will teach the participants how to prepare an effective Threat Modeling session: roles for session attendees and whom to invite and flow of the session.  
  4. Sample threat modeling session – this stage is all about determining potential attackers, defining key resources, creating security requirements based on threats, developing test cases based on requirements. 
  5. Session results management – during this stage, participants will learn about CVSS Compliance and threat-based decision making with examples. 
  6. Best practices – this part includes information about basic threat models in large-scale projects, an exercise to define a basic threat model for your organization, and a threat Modeling effectiveness diagram. 

For a threat modeling session to be effective, it is highly recommended for a team to have a specialist in security – a domain expert who knows how to attack specific technologies under analysis. It would be best if it was a person from your organization, however, we can also “lend” you one of our specialists. 

About the trainers

Mateusz Olejarka
Principal Security Consultant | Head of Web Security

His key responsibilities are web and mobile application penetration testing, threat modeling, and source code review. A consultant, helping software development teams cope with application security-related topics. A casual bug bounty hunter, listed in the Halls of Fame of such companies like Adobe, Algolia, GM, Jet, Netflix, Tesla, Twitter, Uber, and Yahoo.

A speaker at conferences:  4Developers, Black Hat Asia, Code Europe, CONFidence, Hacktivity, NGSec, Security Case Study, Secure, SEMAFOR, Testing Cup, TestWarez, TestWell, OWASP, and KraQA meetings.

Sebastian Obara
IT Security Consultant

An IT security specialist at SecuRing since June 2022. His key responsibilities are threat modeling and security testing of web applications and related components. Earlier, he worked on the other side of the barricade as a Team Leader/Senior Developer (PHP/Python) and a Team Leader DevOps. He was responsible for the development and maintenance of the CI/CD environment and network/servers – Infrastructure as Code. He has also worked as a Team Leader/Coordinator of the AI project SendGuard – AI solutions to fight spam and phishing. Listed in the Hall of Fame at Grafana.

Certificates: eLearn Web Penetration Tester Extreme (eWPTXv2)

Feedback from participants

How to get started? 

If you would like to implement threat modeling in your organization, fill out our contact form and we will get back to you with our full offer.  

You can also schedule a quick discovery call straight away by choosing the time slot in the calendar below: 

BOOK A CALL

Articles on Threat Modeling

In the meantime, we recommend articles on Threat Modeling from our Knowledge Base

Thinking what can go wrong? Introduction to Threat Modeling

Threat Modeling – how to start doing it?

Why threat modeling is important

How to prepare an effective threat modeling session

Case study

How did we increase the security of online banking applications?

The client was one of the leading banks with a website for individual and business entities. The scope tests covered transaction website security, payment management services, financial exchange and loan products.

More soon…
They trusted us

You may also like

Hackflix & Skill – Security Series for developers

An interactive course in which, together with Buggy, we will guide your project team through the most common vulnerabilities we encounter in our security tests. A few seemingly insignificant bugs can lead to fatal consequences. Let’s prevent them!
Read more

Purple Teaming

3 intensive days, 2 trainers, and 2 teams – red and blue – fighting for your application. Workshops created to improve both offensive and defensive security skills in your organization.
Read more

Become a Client

and let’s build your safe future together

Book a Call

or leave a message