Security Uno: A Fun Way to Threat Model
Half-Day Interactive Training - OWASP New Zealand Day 2020
This course will cover the what, why, when, and how of threat modelling applications in your organisation. The bulk of this course will be based on the book ‘‘Threat Modeling: Designing for Security’’, by Adam Shostack, and will leverage a variant of the ‘‘Elevation of Privilege’’ card game - Security Uno - created by the instructor.
Dates: Thursday, 20 February 2020
Time: 1:30 to 5:30 p.m.
Course Fee: NZ $325.00 (plus EventBrite fees)
Registration Site: https://owaspnz2020-training.eventbrite.com
Attendees Should Bring:
- Paper and pen
- Willingness to learn
- A laptop, to look at the Serverless Security Goat - which we will attempt to threat model in an exercise
Attendees Will Be Provided:
- The basics of threat modelling
- Ways to gain adoption by your peers
Instructor: Kendra Ash, Vacasa
The objective of this class is to provide the audience with tools to gain adoption for application threat modelling early on in the development pipeline, while also building confidence in how to threat model.
If you are a software, DevOps, QA or security engineer and want to learn how to threat model API’s in AWS this course is for you. This course will cover the what, why, when, and how of threat modeling applications in your organization. The bulk of this course will be based on the book Threat Modeling: Designing for Security, by Adam Shostack, and will leverage a variant of the Elevation of Privilege card game.
I will also dive into the approach I have used, as a Security Engineer, to gain adoption from engineering teams. After gaining an understanding of threat modelling, we will dive into how we can automate security checks for an AWS environment — leveraging the AWS API tool to provide quick engineering feedback on ways to improve the security of their infrastructure. If time allows we will discuss the success with a monthly DevOps report on AWS, GitHub, Incidents, Security and more for each team in the department.
Kendra Ash - Kendra is a security engineer at Vacasa, actively building a security team and programme by leveraging guidance from her network, and industry standards. She is energetic and cares deeply about safeguarding the end-user’s data, through automation, collaboration, and encryption. Outside of work she participates in local meetups, coaches ski racing, and volunteers for her local search and rescue team.