A full day threat modeling 101 workshop from the Equinor AppSec team!

Help teams build and operate more secure systems by incorporating threat modeling into their daily work.

Threat modeling is often cited as the practice with greatest impact on strengthening teams security posture. Very few teams practice structured threat modelling. In this workshop you will get a basic introduction to threat modeling for a software development project. We do this by working on a sample web project and explore both the software development lifecycle as well as the solution we build. Context matters. All models are wrong. Some models are useful. The most important threat modelling is the one you do now! Get started. Just do it :)

Software Development Teams. We suggest running the 101 workshop with teams, preferably the whole team. We may combine several teams in a workshop. A good size for a workshop seems to be > 10 and < 20.

The workshop outline looks like this:

• Threat modeling introduction
• What are we working on?
• What can go wrong?
• What are we going to do about it?
• Did we do a good job?
• Threat modeling the SDLC
• Getting started with Threat modeling in your team
• Wrapping up

We usually follow the steps described i admin section. We prefer physical workshop, using pen and paper. The Admin section mentioned hands-outs and the physical stuff like pens, rulers etc. We also have virtual adaptions of the workshop using Miro.

We typically run the workshop by opening up slides from https://equinor.github.io/appsec-fundamentals-threatmodeling-101-workshop. Alternatives are using the LiveServer in VS Code or using the Docker version of the slides.

The workshop makes a few references to internal Equinor teams and offerings. These should be adapted to your context.

This is the checklist for those who runs the workshop. Adapt to your context.

We use a specific internal Slack channel for sharing workshop content. This channel is open to our developer community and servers as collective memory of our threat modeling journey.

There is a slide on the Equinor AppSec team which drives this effort in Equinor. This is also where the instructors introduce themselves. Change this one to represent your context

There is a slide on Practicalities. Adapt this to your context

There is a slide on Engaging the appsec team and the community. Adapt this to your context

There is a slide on Thank You. Adapt this to your context