Threat Modeling for Security Champions - Course by Adam Shostack

Course overview

Threat modelling is a structured, systematic approach to identifying vulnerabilities at any development stage. Delegates will typically be a member of a product, feature or stream-aligned team with some security knowledge. This course will empower each delegate to act as a Security Champion, guiding and watching over the threat modeling process on behalf of their team.

Delegates will be led through:

• How to introduce threat modeling to teams
• How to evaluate such work in depth
• How to guide and review the work of others in retrospectives and other rituals to ensure systems are correctly documented, threats recorded, and bugs dealt with.

After the course, the champion will return to the team where they will lead the process and review the quality of threat modeling produced.

Course duration and format:

The course is 10 learning hours, roughly equivalent to a one day in person class. The time is split between short video 'lectures,', hands-on exercises homework assignments and group work and discussion and instructor led coaching via Zoom.

Course Content:

• Introducing threat modeling to teams
  
• Using the Elevation of Privilege game deck
  
• Leading threat modeling work
  
• Reviewing threat modeling (Did we do a good job?)
  
• Evaluating models of systems
• Evaluating threat records
• Evaluating bugs (and reports)
• Effective retrospectives 
• Soft skills in threat modeling