Office Hours after training
Office hours are one way we strive to deliver a great training experience.I ran Threat Modeling Intensive office hours this morning.
Effective teaching is incredibly important to me. When I talk to people about why they've picked my courses, they say all sorts of complimentary things about my work, and a belief that I'll teach them well.
I spend a lot of time working to live up to that, and considering
how to create supportive learning environments. And when we train at a
conference, people leave our training and have all sorts of
distractions exciting
experiences. So I hold an office hours session to
help bring the lessons back into focus and get participants on track
with implementing what they've learned.
I run the office hours freeform, on the assumption that participants will have specific questions to ask. Today’s notes:
- One person's ready to start with a set of meetings to threat model: introducing threat models, understanding the system, presenting a DFD, presenting analysis that they do for the teams. (I commented on not letting the meetings stretch out if they don't have diagrams, and making sure the analysis doesn't devolve into "your system sucks.")
- Someone commented that they used to get overwhelmed with unfamiliar systems, and the structured ways we break it down are helpful
- We talked about 'what are we going to do about it" and how I may be skipping over some basics that are 'obvious to me.'
- There are catalogs of controls (NIST CSF, OWASP CRE or ASVS, vendor guidance such Android Security Guidance, and more).
- I think of controls as
- incorporating new features
- configuration options at the platform (turn on TLS, ensure 1.3 only in nginx), API (use AES in this mode), or package levels.
- Tools like Okta, Google authenticator, or Splunk
- Handling bugs
If you’re interested in a private course, don’t hesitate to get in touch.