Whiteboard Hacking

Whiteboard hacking, aka hands-on threat modeling

Our flagship 2-day whiteboard hacking course is aimed at software developers, architects, system managers, and security professionals. It is organized in-house on-demand, in open sessions, and at conferences. With this training we teach how to do practical threat modeling, how to identify cyber security risks at an early stage in the development lifecycle and how you can mitigate these risks.

As highly skilled professionals with years of experience under our belts we know that there is a gap between academic knowledge of threat modeling and the real world. To minimize that gap we have developed a 2-day course with practical use cases, based on real world projects. Students are challenged in groups of 3 to 4 people to perform the different stages of threat modeling on the following:

  • B2B web and mobile applications, sharing the same REST backend
  • An Internet of Things (IoT) deployment with an on-premise gateway and an AWS based update service
  • OAuth scenarios for an HR application
  • Privacy of a new face recognition system in an airport

After each hands-on workshop, the results are discussed, and students receive a documented solution. We received great feedback at international conferences such as BruCON, OWASP, O'Reilly, DevSecCon and are proud that our flagship training is now selected for Black Hat USA for the 4th year in a row. Feedback from our training attendees:

  • “Sebastien delivered! One of the best workshop instructors I've ever had.”
  • “Very nice training course, one of the best I ever attended.”
  • “I feel that this course is one of the most important courses to be taken by a security professional.”
  • “The group hands-on practical exercises truly helped.”

Who is this course for?

This course is designed for software developers, architects, system managers or security professionals.

What makes this course special?

  • Our trainers are specialists from the field with years of practical threat modeling experience
  • Our training is at least 50% hands-on with exercises to enable the participants to apply this to their own systems
  • Our training can be tailored to the sector/systems that are relevant for the attendees

The extras

This course is all about getting you started with threat modeling as soon – and as effectively – as possible. We make your journey more convenient, with these extras:

  • our Whiteboard Hacking survival guide
  • hand-outs of the presentations
  • worksheets and detailed solution descriptions of the use cases
  • templates, to document a threat model and to calculate risk levels of threats
  • certification for successful completion of the course

What is threat modeling?

Threat modeling is the primary security analysis task performed during system design to identify and manage application threats and vulnerabilities.

What are the benefits of threat modeling?

  • Get the team on the same page with a shared vision on security
  • Prevent security design flaws
  • Identify & address greatest risks
  • Prioritize development efforts based on risk weighting
  • Increased risk awareness and understanding
  • Cost justification and support for needed controls
  • Document due diligence (GDPR, privacy by design, FDA)

What topics are covered?

  • Threat modeling in a secure development lifecycle
  • Different threat modeling methodologies
  • Doomsday scenarios
  • Data flow diagram and trust boundaries
  • STRIDE and attack trees
  • Attack libraries and mitigation patterns
  • Privacy by design and mitigating privacy threats
  • Effective threat model workshops
  • Agile threat modeling
  • Communicating threat models
  • Updating threat models
  • Threat modeling resources
  • Threat modeling tools compared
  • Examination and certification
Whiteboard Hacking - Grotehondstraat 44 1/1 - 2018 Antwerpen - jelle@diggle.be