Build Better Defenses
October 29–30, 2017: Training
October 30–November 1, 2017: Tutorials & Conference
New York, NY

TRAINING: Whiteboard hacking: Hands-on threat modeling

Steven Wierckx (Toreon)
9:00am–5:00pm Monday, October 30, 2017
Location: Gibson

Who is this presentation for?

  • You're a CISO, software architect, developer, or security professional who wants to gain a deeper understanding of threat modeling.

Prerequisite knowledge

  • A basic understanding of IT security concepts

What you'll learn

  • Learn how to perform effective threat modeling
  • Explore real-world use cases for practical threat modeling


Drawing on real-world use cases—including hotel booking web and mobile applications that share the same REST backend, an internet of things deployment with an on-premises gateway and secure update service, and an HR services OAuth scenario for mobile and web applications—Steven Wierckx walks you through performing practical threat modeling. Along the way, Steven discusses privacy threats and privacy by design, through a hands-on privacy impact assessment of a face recognition system in an airport.

Participants will receive a hard copy of the book Threat Modeling: Designing for Security by Adam Shostack.

Photo of Steven Wierckx

Steven Wierckx


Steven Wierckx is a software and security tester with 20 years of experience in programming, security testing, source code review, test automation, functional and technical analysis, development, and database design. Steven shares his passion for web application security through writing and training on testing software for security problems, secure coding, security awareness, security testing, and threat modeling. He’s the project leader for the OWASP Threat Modeling Project and organizes the BruCON student CTF. He spoke at Hack in the Box Amsterdam, hosted workshops at BruCON and DevSecCon (UK) and delivered threat modeling training at OWASP AppSec USA, OWASP AppSec Israel, BruCON and O’Reilly Security New York.