- Offensive threat modeling for penetration testers
- What is threat modeling?
- Why perform threat modeling?
- Threat modeling stages
- Identify threats
- Addressing threats
- Exploiting a threat model
- Understanding context
- Doomsday scenarios
- Data flow diagrams
- Attack Boundaries
- Hands-on: Attacking a B2B web and mobile applications, sharing the same REST backend
- STRIDE introduction
- Spoofing threats
- Tampering threats
- Repudiation threats
- Information disclosure threats
- Denial of service threats
- Elevation of privilege threats
- Attack trees
- Hands-on: Weakness analysis of an Internet of Things (IoT) smart home deployment
- Mitigation patterns
- Authentication: mitigating spoofing
- Integrity: mitigating tampering
- Non-repudiation: mitigating repudiation
- Confidentiality: mitigating information disclosure
- Availability: mitigating denial of service
- Authorization: mitigating elevation of privilege
- Hands-on: get into the defenders head – modeling points of attack of a nuclear facility.
- Attack libraries
- OWASP Top 10
- The “Snowden” documents
- Other lists
- Create your own attack list
- Create pentest cases for threat mitigation features
- Pentest planning to exploit security design flaws
- Vulnerabilities as input to plan and scope security testing
- Prioritization of pentesting based on risk rating
- Threat modeling resources
- Open-Source tools
- Commercial tools
- General tools
- Hands-on examination
- Grading and certification
This training is aimed at security professionals or penetration testers.
Before attending this course, students should be familiar with basic knowledge of penetration testing methodologies and techniques.
The students should bring their own laptop to the course.
- “Sebastien delivered! One of the best workshop instructor’s I’ve ever had.”
- “Very nice training course, one of the best I ever attended.”
- “I feel that this course is one of the most important courses to be taken by a security professional.”
- “The group hands-on practical exercises truly helped.”
Steven Wierckx is a software and security tester with 15 years of experience in programming, security testing, source code review, test automation, functional and technical analysis, development, and database design, Steven shares his passion for web application security through writing and training on testing software for security problems, secure coding, security awareness, security testing, and threat modeling. He is the project leader for the OWASP Threat Modeling Project and organizes the BruCON student CTF. Last year, he spoke at Hack in the Box Amsterdam, hosted a workshop at BruCON and delivered threat modeling trainings at OWASP AppSec USA and O’Reilly Security New York.