Engineer for the future of Cloud
June 10-13, 2019
San Jose, CA

In-Person Training
Hands-on threat modeling and tooling for DevSecOps

Monday, June 10 & Tuesday, June 11,
9:00am - 5:00pm
Building Secure Systems
Location: Almaden Ballroom 2

Participants should plan to attend both days of this 2-day training course. To attend, you must register for a Platinum or Training pass; does not include access to tutorials on Tuesday.

Learn how to use threat modeling as technique to integrate security in the DevOps workflow, introduce "threat modeling as code" and build a security culture in your organization.

What you'll learn, and how you can apply it

DevOps Engineers will be able to improve reliability and security of delivered software.

This training is for you because...

You are a DevOps Engineer.


This course is aimed at DevOps Engineers. Before attending this course, students should be familiar with basic knowledge of microservices, cloud architectures and AWS.

Hardware and/or installation requirements:

Handouts, templates and lab challenges will be made available before the training.

This is an action-packed 2-day Threat Modeling course specifically for DevOps Engineers to improve reliability and security of delivered software. We will teach an iterative and incremental threat modeling method that is integrated with the development and deployment pipeline. As the speed of delivery is crucial with shorter development cycles, increased deployment frequency, and more dependable releases we focus on a risk-based unified threat modeling practice that is in close alignment with business objectives.

We will review tools and introduce threat modeling as code to integrate threat modeling in the CI/CD pipeline. Threat modeling the CI/CD pipeline itself will also be covered.

The training material and hands-on workshops with real live use cases are based on our experience. The students will be challenged to perform practical threat modeling in squads of 3 to 4 people covering the different stages of threat modeling on an incremental business driven CI/CD scenario:

  • Sprint 1: Modeling a hotel booking web and mobile application, sharing the same REST backend
  • Sprint 2: Threat identification as part of migrating the booking system application to AWS
  • Sprint 3: AWS threat mitigations for the booking system build on microservices
  • Sprint 4: Building an attack library for CI/CD pipelines

Some feedback from our Black Hat training attendees:

  • “Sebastien delivered! One of the best workshop instructor’s I’ve ever had.”
  • “Very nice training course, one of the best I ever attended.”
  • “I feel that this course is one of the most important courses to be taken by a security professional.”
  • “The group hands-on practical exercises truly helped.”

About your instructor

Photo of Sebastien Deleersnyder

Sebastien Deleersnyder is a co-founder, CEO of Toreon and a proponent of application security as a holistic endeavor. He started the Belgian OWASP chapter, was a member of the OWASP Foundation Board and performed several public presentations on Application Security. Seba also co-organized the yearly security & hacker BruCON conference and training in Belgium.

With a background in development and many years of experience in security, he has trained countless developers to create software more securely. He has led OWASP projects such as OWASP SAMM, thereby truly making the world a little bit safer. Now he is adapting application security models to the evolving field of DevOps and is also focused on bringing Threat Modeling to a wider audience.

Conference registration

Get the Platinum pass or the Training pass to add this course to your package. Best Price ends March 22.

Leave a Comment or Question

Help us make this conference the best it can be for you. Have questions you'd like this speaker to address? Suggestions for issues that deserve extra attention? Feedback that you'd like to share with the speaker and other attendees?

Join the conversation here (requires login)