4–7 Nov 2019

Hands-on threat modeling and tooling for DevSecOps

9:00—17:00 Monday, 4 November—Tuesday, 5 November
Location: R12
See passes and pricing

Participants should plan to attend both days of training course. Note: to attend training courses, you must be registered for a Platinum or Training pass; does not include access to tutorials on Tuesday.

Sebastien Deleersnyder teaches you how to use threat modeling to integrate security in the DevOps workflow, introduces threat modeling as code, and shows you how to build a security culture in your organization.

What you'll learn, and how you can apply it

  • Improve reliability and security of delivered software

Who is this presentation for?

  • You're a DevOps engineer.




  • Familiarity with microservices, cloud architectures, and AWS

Hardware and/or installation requirements:

During the training we will do some tool exercises, please do the following before you arrive on-site:

  • Install draw.io tool for your operating system or bring a laptop that can open www.draw.io to use the tool online.
  • If you bring a Windows laptop with you, download and install the Microsoft Threat Model tool.

This action-packed two-day threat modeling course is designed specifically to help DevOps engineers improve reliability and security of delivered software. Sebastien Deleersnyder teaches an iterative and incremental threat modeling method that is integrated with the development and deployment pipeline.

Speed of delivery is crucial with shorter development cycles, increased deployment frequency, and more dependable releases, and Sebastien focuses on a risk-based unified threat modeling practice that is in close alignment with business objectives. You’ll explore tools and learn how to use threat modeling as code to integrate threat modeling in the CI/CD pipeline; you’ll also discover how to threat model the CI/CD pipeline itself.

Sebastien bases the training material and hands-on workshops on real live use cases in his experience. You’ll be challenged to perform practical threat modeling in squads of three to four people, covering the different stages of threat modeling on an incremental business-driven CI/CD scenario:

  • Sprint 1: Modeling a hotel booking web and mobile application, sharing the same REST backend
  • Sprint 2: Threat identification as part of migrating the booking system application to AWS
  • Sprint 3: AWS threat mitigations for the booking system built on microservices
  • Sprint 4: Building an attack library for CI/CD pipelines

Handouts, templates, and lab challenges will be made available before the training.

About your instructor

Photo of Sebastien Deleersnyder

Sebastien Deleersnyder is a cofounder and managing partner of Toreon, providing professional ICT security services to customers in Belgium and abroad. As security project leader and information security officer, he’s built up extensive experience in information security-related disciplines, both at strategic and tactical levels. He specializes in application security, combining his software development and information security experience. He’s performed several successful secure development lifecycle projects in the financial and utility sectors, started up software security groups, supported customers in selecting and implementing web application firewalls (WAF), delivered web application security training, and closed a lot of audit findings regarding application security. Sebastien started the Belgian Open Web Application Security Project (OWASP) as chapter leader, was a member of the OWASP foundation board, and performed several public presentations on web applications and web services security. He also co-organized the yearly security and hacker BruCON conference and trainings in Belgium.

Conference registration

See passes and pricing

Get the Platinum pass or the Training pass to add this course to your package. Early Price ends 20 September.

Leave a Comment or Question

Help us make this conference the best it can be for you. Have questions you'd like this speaker to address? Suggestions for issues that deserve extra attention? Feedback that you'd like to share with the speaker and other attendees?

Join the conversation here (requires login)

Contact us


For conference registration information and customer service


For more information on community discounts and trade opportunities with O’Reilly conferences


For information on exhibiting or sponsoring a conference

Contact list

View a complete list of Velocity Conference contacts