October 30–31, 2016: Training
October 31–November 2, 2016: Tutorials & Conference
New York, NY

Applying threat modeling to building secure software

Andrea Doherty (EMC Corporation), Danny Dhillon (EMC Corporation)
1:30pm–5:00pm Monday, 10/31/2016
Tools and processes
Location: Trianon Ballroom Level: Beginner
Average rating: **...
(2.00, 1 rating)

Prerequisite knowledge

  • Experience in software development (whether as an architect, designer, software development engineer, quality engineer, programmer, or tester)

Materials or downloads needed in advance

  • Pen and paper
  • A laptop loaded with a threat modeling tool like the Microsoft Threat Modeling Tool 2016
  • Your own architecture or high-level software design to work with (No need to share the specific design with the rest of the group—this is for your own use; alternately, we will be providing examples for use during the workshop.)

What you'll learn

  • Understand the value and practicality of threat modeling and how to apply threat modeling in your everyday efforts to build secure software


Threat modeling enables a software team to find weaknesses in a design that could be exploited by a threat agent (e.g., a security researcher, cybercriminal, state-sponsored hacker, or malicious insider) and build in defenses to prevent those weaknesses from becoming costly issues. Threat modeling can be done at any time—preferably at the very start of a project—and continue whenever new components or features are added to the system.

Andrea Doherty and Danny Dhillon walk you through a pragmatic approach to threat modeling that can be applied within your existing structured and Agile processes. This workshop avoids focusing on theory. Instead, you’ll learn threat modeling through hands-on experience. Andrea and Danny present a five-step approach that you will apply in a series of exercises to build you own threat model:

  1. Model a software design using simple data flow diagrams.
  2. Use those diagrams to identify the attack surface of a system.
  3. Look at each of the trust boundaries within the attack surface and answer the question, what could possibly go wrong? We’ll look at common threat patterns and demonstrate an approach for determining which are applicable to a system.
  4. Prioritize the threats based on risk (a combination of exploitability of the weakness and potential impact to the confidentiality/integrity/availability of sensitive resources).
  5. Decide which threats to address through mitigation and define a mitigation plan (including downstream activities like secure coding, scanning, and testing) that can be executed within an existing structured or Agile development process.

The workshop will be chock full of hands-on examples and case studies based on Andrea’s and Danny’s real-world experiences working as security advisors to product development teams at a multinational software vendor. The material was refined through internal training workshops and practical application across multiple types of enterprise architectures built on a variety of technology platforms, including client-server environments, cloud computing services, physical and virtual appliances, and online mobile application stores.

Photo of Andrea Doherty

Andrea Doherty

EMC Corporation

Andrea Doherty is a consultant product security engineer at EMC Corporation, working for the EMC Product Security office as a security advisor for several product development teams. Andrea has been a security champion, security architect, and security advisor for the past 21 years. Previously, Andrea specified and built security applications for 13 years at RSA, the security division of EMC. Andrea represented RSA in the IETF KEYPROV working group and was editor of RFC6063. In 2015, she led the SAFECode Threat Modeling Tool BoF comprised of representatives from seven member companies. Andrea has presented on threat modeling and security testing at a number of regional security conferences, including Cisco SecCon 2013 and Source Boston 2014.

Photo of Danny Dhillon

Danny Dhillon

EMC Corporation

Danny Dhillon currently leads the Security Development Lifecycle program at EMC Corporation. Danny has 15 years of diverse experience in security engineering. He has given dozens of training workshops on threat modeling, published on the topic in IEEE Security & Privacy, and presented at Microsoft’s BlueHat conference and RSA’s conference. Danny is a founding member of the IEEE Center for Secure Design.

Comments on this page are now closed.


Picture of Andrea Doherty
Andrea Doherty
10/27/2016 3:02pm EDT

Hi Brandon,
The Threat Modeling tool is not required. Any tool capable of drawing data flow diagrams, or even pen and paper, will be just as good.
See you on Monday!

10/26/2016 3:43pm EDT

Is a threat modeling tool required? Is there an OSX option?