301 Course from Shostack + Associates
This course enables security champs to support threat modeling work by their teams. The outcome is champs supporting threat modeling execution by product teams, not champs ready to train and leave.
Participants will be led through how to introduce threat modeling to teams, with or without Elevation of Privilege, learn about leading threat modeling work, and how to evaluate such work in depth.
This course is 10 learning hours, roughly equivallent to a one day in person class. The time is split between short video 'lectures,' like the one below, homework assignments and group discussion via Zoom.
- Introducing TM to teams
- Using the Elevation of Privilege deck
- Leading TM work
- Reviewing TM — evaluating models of systems
- Reviewing TM — evaluating threat records
- Reviewing TM — evaluating bugs (and reports)
- Effective retrospectives (Did we do a good job?)
- Soft skills in threat modeling