Threat Modeling Intensive (222) Course from Shostack + Associates

Course Overview

Our most popular course, designed to provide attendees the ability to more consistently and efficiently apply threat modeling using the Four Question Framework:

• What are we working on?
• What can go wrong?
• What are we going to do about it?
• Did we do a good job?

Learning outcomes

After taking this class, participants will have the knowledge and skills to consistently and efficiently use the Four Question Framework. That includes data flow diagrams, STRIDE and kill chains to identify threats, risk management and mitigation techniques, and the ability to choose between them for specific situations. They will also understand how to document results, and advance threat modeling results for action.

Course Content

• Threat Modeling Lessons from Star Wars (Traps people fall into)
• Answering the Question: what are we working on with DFDs and other tools
• Figuring out what can go wrong using STRIDE and Kill Chains
• Deciding what we’re going to do about it (Appropriate controls and risk management)
• Determining if we did a good job through measurement and retrospectives
• Threat modeling in 2021

Delivery

Threat Modeling Intensive is our most popular course, and we now proudly offer it in two modes: instructor-led and self-pace. Each is designed to serve different types of learning needs. Currently, Adam Shostack leads all the instructor-led courses, and a capstone discussion with Adam in available as an add-on to the self-pace version.

• Instructor led: 20 Hours over 5 days. Next open course October 11-16. Sign up!
• Self-paced: 16 hours over as many as 30 days. Get started now!

Relative to our Engineers Course

Threat Modeling for Engineers focuses on teaching a single method to address Four Questions. In intensive, we add more methods to address each, and learn to assess which to apply. That includes state machines and message diagrams to express what we're working on, kill chains and attack trees to address what can go wrong, and risk management approaches to bring more nuance to what we're going to do about each. Intensive also has a set of optional videos and exercises to allow students to go further.