Learning Path: Threat Modeling

Agile Threat Modeling

Agile was one of the most important innovations in product development methodology when it became popular in the early 2000s. Iterative development is an important piece of the modern AppSec puzzle, and it’s becoming increasingly more valuable to take the time to understand the security needs of your apps. This course is a deep dive into everything you need to know about how to build an effective Threat Model in Agile.

We’ll begin this program with a broad overview of security in Agile, and the biggest challenges you’ll face. You’ll learn how to design an iterative, collaborative Threat Model using various threat scenarios and abuser stories. You’ll also understand exactly how your Agile Threat Model applies to the software development lifecycle. Finally, we’ll show you how to do Agile Threat Modeling with our very own Threat Playbook.

This course is designed specifically to help you understand how these processes work in a real-world development scenarios, which is why we use story-driven Threat Modelling. Our material is backed by years of security testing experience, knowledge, and original research across our entire team. At the end of the course, you’ll be able to directly implement what you’ve learnt in a modern product engineering environment.

Audience: DevSecOps
Course Duration: 4 hours
7 lessons
2 Cloud Labs

Course Outline

  • Agile Concept Overview and Implementation
  • Pitfalls and Challenges
  • Opportunities for Security in Agile
  • Implementing DevSecOps as an extension to Agile Security
  • How Threat Modeling is the glue of Agile Security
  • Use of Threat Modeling Outputs for the entire SDLC
  • Approach to Iterative, Feature-Driven Threat Modeling
    • Collaborative Threat Modeling exercise
    • Elevation of Privilege Card Game for UserStory/Feature
    • Story-Driven Threat Modeling
      • Abuser Stories
      • Threat Scenarios
      • Test Cases
  • Using Threat Modeling in Development Process and Checks
  • Incorporate Threat Modeling Outputs to Static Checks and Checklists
  • Incorporate Threat Modeling Outputs to Penetration Testing and Red-Teaming:
    • Pre-Deployment Security Checks
    • Post-Deployment Security Checks
  • Incorporate Threat Modeling Outputs in Incident Response
  • Generating “Threat Models as Code”
  • Threat Model Process Flow Diagrams with MermaidJS and Robot Framework
  • Documenting Security Test Cases for Threat Models