Detail kurzu
Certified Threat Modeling Professional (CTMP)
EDU Trainings s.r.o.
Popis kurzu
This course is targeted towards individuals or teams interested in devoting their careers to learning and implementing industry security best practices around Threat modeling.
Course Inclusions:
Course Manual
Course Videos and Checklists
40+ Guided Exercises
60 days Online Lab Access
Access to a dedicated channel
One exam attempt for Certified Threat Modeling Professional Certification Upon completion of the course, you will be able to:
Basics of Threat modeling from a business perspective.
Threat Modeling processes, tools, and techniques.
Major components in Agile Threat Modeling.
How to create and maintain Threat Modeling practice.
Creating and maintaining threat models.
Facilitating threat modeling sessions with a larger audience.
Obsah kurzu
Chapter 1: Threat Modeling OverviewWhat is Threat Modeling?
The Threat Model Parlance
Security is a Balancing Act
Design Flaws and Risk Rating
Why Threat Model?
Threat Modeling vs. Other Security Practices
Threat Modeling Frameworks and Methodologies
List/Library Centric Threat Modeling
Asset/Goal Centric Threat Modeling
Threat Actor/Attacker Centric Threat Modeling
Software Centric Threat Modeling
Trust Boundaries vs. Attack Surfaces
Modern Threat Modeling Approaches for Agile and DevOps
Risk Management Strategies with Examples
Avoiding Risks
Accepting Risks
Mitigating Risks
Transferring Risks
Hands-on Exercises:
Breakout Sessions to Identify Threats for a Multi-Tiered Application
Chapter 2: Threat Modeling Basics
Threat Modeling and Security Requirements
Threat Modeling vs Threat Rating
Diagramming for Threat Modeling
List Centric Threat Modeling
Exploring the STRIDE Model
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privileges
Pros and Cons of STRIDE
STRIDE defenses
Authentication
Integrity
Non-Repudiation
Confidentiality
Availability
Authorization
STRIDE Threat examples
Goal/Asset Based modeling Approach
Attack Trees
Attack Tree Analysis
Attacker/Threat Actor Centric Modeling Approach
Using MITRE ATT&CK for Attacker Centric Threat Modeling
Software Centric Threat Modeling
Other Threat modeling methodologies
PASTA
VAST
Hybrid Threat modeling
RTMP
OCTAVE
Gamified approaches for Threat Modelling
Virtual Card Games
Adversary Card Games
Introduction to Threat Rating
DREAD
OWASP Risk Rating Methodology
Bug Bar
Rapid Risk Assessment
Hands-on Exercises:
Creating a Data Flow Diagram for Threat Modeling
Using OWASP Cornucopia to Identity Web Related Threats
Creating Threat Actor Personas
Using Threat Actor Personas to Identify Threats
Risk Rating with OWASP Risk Rating Methodology
Chapter 3: Agile Threat Modeling
Agile Threat Modeling Approaches
Threat Modeling Diagrams as Code
Threat Modeling Inside The Code
Threat Modeling as Code
Compliance and Audit as Code
Rapid Threat Model Prototyping
Security Requirements as Code With BDD Security
Events of Agile Software Development Through Scrum
Writing Security Requirements for Agile Software Development
Writing Use Cases and Abuse Cases
Privacy Impact Assessments and Security Requirements
Identifying Privacy Related Threats
Hands-on Exercises:
Writing Abuse Cases for Password Reset Workflow
Threat Modeling Privacy for your system
Exploring UML as Code
Creating Attack Trees Using Code
Writing Threat Models Alongside Code
Writing Threat Models With Code
Writing Threat Models As Code
Writing Compliance As Code for PCI-DSS
Chapter 4: Reporting and Deliverables
How To Manage Threat Models
Documentation
Backlog
Bugs, and Tickets
Code
Automation
Threat Modeling Tools and Templates
Microsoft Threat Modeling Tool
OWASP Threat Dragon
CAIRIS Platform
Threat Modeling As Code Tools
Freemium Tools
Threat Model Templates and Examples
Validating Threat Models
Threat Model Versus Reality
All Threats Accounted For Risk
Mitigations Are Tested
Are We Done Threat Modeling?
Hands-on Exercises:
Threat Modeling with OWASP Threat Dragon
Threat Modeling Multi-Tiered Application with Irius Risk
Threat Modeling for Multi-Cloud with Irius Risk
Validating Threats with Automated Tests
Validating Mitigations with Automated Tests
Chapter 5: Secure Design Principles and Threat Modeling Native, and Cloud Native Applications
Exploring Principles of Secure Design with Examples
Principle of Economy of Mechanism
Principle of Fail Safe Defaults
Principle of Complete Mediation
Principle of Open Design
Principle of Separation of Privilege
Principle of Least Privilege
Principle of Least Common Mechanism
Principle of Psychological Acceptability
Case Study of AWS S3 Threat model
Case Study of Kubernetes Threat Model
Case Study of Very Secure FTP daemon
Hodnocení
Organizátor
EDU Trainings s.r.o.
Táborská 619/46, Praha 4 - Nusle
Vzdělávací centrum EDU Trainings nabízí rozsáhlé portfolio vzdělávacích služeb v oblasti IT v České a Slovenské republice. Najdete u nás certifikovaná školení od předních světových společností jako jsou Red Hat, Microsoft, Micro Focus a další, a to nejen v tradiční prezenční podobě, ale také jako virtuální nebo On-Demand školení.
Mimo to organizujeme zajímavé semináře, webináře či online diskuze a poskytujeme certifikační testy v autorizovaném testovacím centru Pearson VUE a PEOPLECERT. Testy a certifikace těchto společností jsou celosvětově uznávané. Školení pro IT specialisty, technický personál i manažery jsou vedena odbornými certifikovanými lektory s bohatými praktickými zkušenostmi. Účastníci našich kurzů získávají potřebné znalosti, které jím pomohou zlepšit procesy v IT, zefektivnit projekty a ušetřit jejich čas. Dokážeme pomoci firmám k maximálnímu využití technologií, a tím i ke zvýšení konkurenceschopnosti na trhu. Školení dodáváme v českém, slovenském a anglickém jazyce, vybrané kurzy i v němčině a španělštině. Prioritou Vzdělávacího centra EDU Trainings je dodávka kvalitního vzdělání odpovídajícího aktuálním trendům a požadavkům trhu, které splňuje nároky zákazníka a umožňuje mu jeho další růst.
Co od nás můžete očekávat?
• Rozsáhlé portfolio IT služeb
• Soft skills kurzy
• Inovativní jazykovou výuku pomocí platformy Voxy
• Odborné lektory s praktickými zkušenostmi
• Profesionalitu, flexibilitu a vstřícnost
Základní nabídka vzdělávacích služeb:
• Standardní kurzy v námi poskytnuté učebně nebo v prostorách zákazníka
• Kurzy na míru, realizace vzdělávacích plánů
• E-learningové kurzy
• Semináře a bezplatné webináře
• Individuální i skupinové konzultace
• Certifikace IT profesionálů
Portfolio:
AWS, Blockchain, Brocade, CompTIA, DASA, EDU Trainings, EPI, Fortinet, G2G3, IAPP, IMDS, ISC2, ISTQB, ITIL, Micro Focus, Microsoft, OMG, Palo Alto Networks, PECB, PRINCE2, Red Hat, SAFe, Scrum.org, Splunk, VMware, Zabbix.
Podobné kurzy
podle názvu a lokality
