ND-ISAC Application Security 3-Part Training Series: “Application Threat Modeling Training Series”

Jan 19, 2021 | ND-ISAC Blog

The National Defense Information Sharing and Analysis Center (ND-ISAC) is honored to announce that we will be offering an application threat modeling training series for our members.  The ND-ISAC Application Security working group identified a subject matter expert to lead a training and discussion to further develop the content knowledge on application threat modeling.  This 3-part series is targeting members that are Information Security Officers, Network Administrators, Software Engineers, IT Architects, and those looking to move into the AppSec field.

The objective of this training is to assess ND-ISAC member company security strategy prior to the implementation of an application in the technology infrastructure. The course enables attendees to  identify threats/potential risks and optimize the security strategy to be implemented through the use of the STRIDE methodology.

Training will:

  • Allow teams to use a “Shift-Left” approach and identify security threats during design
  • Enable teams to prioritize remediation and security controls
  • Enable teams to deliver secure software
  • Help organizations save security associated costs

Below is a detailed outline of the ND-ISAC training series:

Training Day 1: February 3, 2021  5:00-6:00 PM EST

Introduction to Application Threat Modeling

  • What is Application Threat Modeling?
  • What are the benefits?
  • Steps of the Threat Modeling methodology
Data Flow Diagram

  • Introduction to Data Flow Diagrams (DFD)
  • Explanation of DFD Components
Exercise #1 – Create a Data Flow Diagrams

  • Use an example to create a Data Flow Diagram
  • Identify in the diagram trusted boundaries, processes and external entities.
Review Exercise #1

  • Review some of the attendees diagrams and discuss

 

*Training Day 2: February 17, 2021  5:00-6:00 PM EST

Review Summary of Session #1

  • Quickly Review – what is Application Threat Modeling?
  • DFD Review
Identify Threat Vectors with STRIDE

  • Introduction to Stride
  • How to apply STRIDE to identify Threat Vectors
Exercise #2 – Threat Vector Identification

  • Use STRIDE to identify threat vectors
Review Exercise #2

  • Review some of the attendees identified threats and discuss

*We highly recommend members attend all three trainings, subsequent trainings #2 and #3 will require attendance of the prior training and build on the skills acquired from each meeting. We will record the trainings for those that cannot make all live events. 

 

*Training Day 3: March 3, 2021  5:00-6:00 PM EST

Review Summary of Session #2

  • Quick review of STRIDE
Rank Identified Threat Vectors

  • Learn how to rank identified threats
Exercise #3 – Threat Vector Ranking

  • Rank the identified threat vectors from Session #2
Review Exercise #3

  • Review some of the attendees rankings
Mitigate Identified Threat Vectors

  • Map mitigation strategies against identified threats
Exercise #4 – Map mitigation strategies

  • Map the mitigation strategies for the identified security threats
Application Threat Modeling Final Thoughts

*We highly recommend members attend all three trainings, subsequent trainings #2 and #3 will require attendance of the prior training and build on the skills acquired from each meeting. We will record the trainings for those that cannot make all live events.

This is a TLP Green webinar and registration is open to ND-ISAC member companies only. If you are interested in participating in this training, e-mail info@ndisac.org for more information on registration.