Skip to content

About

A full day threat modeling 101 workshop from the Equinor AppSec team

Purpose

Help teams to build and operate more secure systems by incorporating threat modeling into their daily work.

Audience

Software Development Teams. We prefer to run the 101 workshop for teams, preferably the whole team. We may combine several teams in a workshop. A good size for a workshop is > 10 and < 20.

Schedule ⏱

Full day (8 hours, 9 - 16)

Context

Threat modeling is often cited as the practice with greatest impact on strengthening teams security posture. Very few teams practice structured threat modelling. In this workshop you will get a basic introduction to threat modeling for a software development project. We do this by working on a sample web project and explore both the software development lifecycle as well as the solution we build. Parts of the content and exercises are experimental. By participating you will be an important part of forming the workshop for our community. Context matters. All models are wrong. Some models are useful. The most important threat modelling is the one you do now! Get started. Just do it :)

Workshop Outline

  • Threat modeling introduction
  • What are we working on?
  • What can go wrong?
  • What are we going to do about it?
  • Did we do a good job?
  • Threat modeling the SDLC
  • Getting started with Threat modeling in your team
  • Wrapping up