Learn how to think about security as part of agile development, and uncover security defects and requirements before they cost you time, money and feature velocity.
Reduce friction by uncovering how to build a secure solution from the start, instead of needing to retroactively apply fixes and re-designs in the name of security later on.
Threat modelling is one of several activities that can be integrated into existing software development to identify and address security weaknesses early in development. It can reduce security debt by minimising defects that may show up later, and also help the whole development team become more aware of what types of security issues may turn up. The results of threat modelling can also help provide security awareness to management, making it clear what resources are needed to provide a secure and feature-rich solution to customers. Threat modelling takes an architectural view and encourages the team to think maliciously about their own solutions, increasing awareness and empowering development to make informed choices around security.
This course introduces students to the threat modelling process and how it can be applied in agile software development. With a process-agnostic approach, the course provides a methodology for addressing architectural security that can be adapted to your team’s development approach. The course is delivered in a workshop format, focusing on practical application of fundamental concepts.
Course Objectives:
Map out an existing or as-planned system architecture
Identify trust boundaries in your system
Identify threats against the system
Consider different approaches, e.g. asset-focused, attacker-focused and software-focused threat modelling
Manage and mitigate threats in an actionable manner, ensuring design changes or other requirements make it into appropriate backlogs and defect management systems
Apply the above to agile development
Audience:
Developers
Architects Testers / QA
Product Owners
Scrum Masters
Security Leads
Prerequisites:
Although the course covers a number of technical topics at a high level, no specific security or architecture experience is required to attend. Experience working in teams to develop software solutions is highly recommended, including non-technical roles.
Course outline:
Introduction
Security fundamentals
Designing for security
What is threat modelling
How to use threat modelling
Methodologies
Practical threat model exercise and walkthrough
Making sure your threat model is valuable
Making threat modelling a part of your development approach