Back to Pre-Conference TrainingPage

Back to Conference Home Page

Security Uno: A Fun Way to Threat Model

Half-Day Interactive Training - OWASP New Zealand Day 2020

Abstract

This course will cover the what, why, when, and how of threat modelling applications in your organisation. The bulk of this course will be based on the book ‘‘Threat Modeling: Designing for Security’’, by Adam Shostack, and will leverage a variant of the ‘‘Elevation of Privilege’’ card game - Security Uno - created by the instructor.

Course Details

Dates: Thursday, 20 February 2020

Time: 1:30 to 5:30 p.m.

Course Fee: NZ $325.00 (plus EventBrite fees)

Registration Site: https://owaspnz2020-training.eventbrite.com

Attendees Should Bring:

• Paper and pen
• Willingness to learn
• A laptop, to look at the Serverless Security Goat - which we will attempt to threat model in an exercise

Attendees Will Be Provided:

• The basics of threat modelling
• Ways to gain adoption by your peers

Instructor: Kendra Ash, Vacasa

Course Objective

The objective of this class is to provide the audience with tools to gain adoption for application threat modelling early on in the development pipeline, while also building confidence in how to threat model.

Course Overview

If you are a software, DevOps, QA or security engineer and want to learn how to threat model API’s in AWS this course is for you. This course will cover the what, why, when, and how of threat modeling applications in your organization. The bulk of this course will be based on the book Threat Modeling: Designing for Security, by Adam Shostack, and will leverage a variant of the Elevation of Privilege card game.

I will also dive into the approach I have used, as a Security Engineer, to gain adoption from engineering teams. After gaining an understanding of threat modelling, we will dive into how we can automate security checks for an AWS environment — leveraging the AWS API tool to provide quick engineering feedback on ways to improve the security of their infrastructure. If time allows we will discuss the success with a monthly DevOps report on AWS, GitHub, Incidents, Security and more for each team in the department.

Your Instructor

Kendra Ash - Kendra is a security engineer at Vacasa, actively building a security team and programme by leveraging guidance from her network, and industry standards. She is energetic and cares deeply about safeguarding the end-user’s data, through automation, collaboration, and encryption. Outside of work she participates in local meetups, coaches ski racing, and volunteers for her local search and rescue team.