Threat Modeling for Engineers (201) Course from Shostack + Associates


Course Overview

This class is designed to provide attendees the ability to more consistently and efficiently apply threat modeling using the Four Question Framework:

Learning outcomes

After taking this class, participants will have the knowledge and skills to consistently and efficiently use the Four Question Framework, data flow diagrams, STRIDE to identify threats, mitigation techniques, document results, and advance threat modeling results for action.

Course Content

10 Hours over 5 days.

Relative to our Intensive Course

This engineers course focuses on teaching a single method to address Four Questions. In intensive, we add more methods to address each, and learn to assess which to apply. That includes state machines and message diagrams to express what we're working on, kill chains and attack trees to address what can go wrong, and risk management approaches to bring more nuance to what we're going to do about each.

Formerly called "architects," we've renamed this course to better reflect that it's great for anyone building products — we use the term engineer broadly. Software engineers, program managers, product managers, scrum masters, SOC engineers and others have enjoyed the course.