Threat modeling enables a software team to find weaknesses in a design that could be exploited by a threat agent (e.g., a security researcher, cybercriminal, state-sponsored hacker, or malicious insider) and build in defenses to prevent those weaknesses from becoming costly issues. Threat modeling can be done at any time—preferably at the very start of a project—and continue whenever new components or features are added to the system.
Andrea Doherty and Danny Dhillon walk you through a pragmatic approach to threat modeling that can be applied within your existing structured and Agile processes. This workshop avoids focusing on theory. Instead, you’ll learn threat modeling through hands-on experience. Andrea and Danny present a five-step approach that you will apply in a series of exercises to build you own threat model:
The workshop will be chock full of hands-on examples and case studies based on Andrea’s and Danny’s real-world experiences working as security advisors to product development teams at a multinational software vendor. The material was refined through internal training workshops and practical application across multiple types of enterprise architectures built on a variety of technology platforms, including client-server environments, cloud computing services, physical and virtual appliances, and online mobile application stores.
Andrea Doherty is a consultant product security engineer at EMC Corporation, working for the EMC Product Security office as a security advisor for several product development teams. Andrea has been a security champion, security architect, and security advisor for the past 21 years. Previously, Andrea specified and built security applications for 13 years at RSA, the security division of EMC. Andrea represented RSA in the IETF KEYPROV working group and was editor of RFC6063. In 2015, she led the SAFECode Threat Modeling Tool BoF comprised of representatives from seven member companies. Andrea has presented on threat modeling and security testing at a number of regional security conferences, including Cisco SecCon 2013 and Source Boston 2014.
Danny Dhillon currently leads the Security Development Lifecycle program at EMC Corporation. Danny has 15 years of diverse experience in security engineering. He has given dozens of training workshops on threat modeling, published on the topic in IEEE Security & Privacy, and presented at Microsoft’s BlueHat conference and RSA’s conference. Danny is a founding member of the IEEE Center for Secure Design.
Comments on this page are now closed.
©2016, O'Reilly Media, Inc. • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • email@example.com