Whiteboard hacking for DevOps Engineers


16-17 Oct 2018




£1,500 GBP (excl. VAT)

This is a past event

This is the page of a past DevSecCon event. To view and select current events, please return to DevSecCon.com/Academy.

Join us for an action-packed 2-day Threat Modeling course specifically for DevOps Engineers to improve reliability and security of delivered software. We will teach an iterative and incremental threat modeling method that is integrated in the development and deployment pipeline. 

Training Description

Threat modeling is the primary security analysis task performed during the software design stage. Threat modeling is a structured activity for identifying and evaluating application threats and vulnerabilities. The security objectives, threats, and attacks modeling activities during the threat modeling are designed to help you find vulnerabilities in your application and the supporting architecture. You can use the identified vulnerabilities to help shape your design and direct and scope your security testing. For this training we will teach an iterative and incremental threat modeling method that is integrated in the development and deployment pipeline.

Threat modeling allows you to consider, identify, and discuss the security implications of user stories in the context of their planned operational environment and in a structured fashion. It also allows consideration of security issues at the component or application level. The threat modeling course will teach you to perform threat modeling through a series of workshops, where our trainer will guide you through the different stages of a practical threat model based on an AWS and microservices migration from a classical web application.

Threat Modeling – Real Life Use Cases

As highly skilled professionals with years of experience under our belts we know that there is a gap between academic knowledge of threat modeling and the real world.

In order to minimise that gap we have developed practical Use Cases, based on real life projects. Each use case includes a description of the environment, together with questions and templates to build and iteratively improve a threat model. Using this methodology for the hands-on workshops we provide our students with a robust training experience and the templates to incorporate threat modeling best practices in their daily DevOps work.

The students will be challenged to perform practical threat modeling in squads of 3 to 4 people covering the different stages of threat modeling on an incremental business driven CI/CD scenario:

  • Sprint 1: Modeling a hotel booking web and mobile application, sharing the same REST backend
  • Sprint 2: Threat identification as part of migrating the booking system application to AWS
  • Sprint 3: AWS threat mitigations for the booking system build on microservices
  • Sprint 4: Building an attack library for CI/CD pipelines

After each hands-on workshop, the results are discussed, and the students receive a documented solution.

Who should attend

This course is aimed at anyone who is trying to embed security as part of agile/cloud/DevOps environments like Security Professionals, Penetration Testers, Red Teamers, IT managers, Developers and DevOps Engineers.

Prerequisites and hardware requirements

Before attending this course, students should be familiar with basic knowledge of microservices, cloud architectures and AWS. The students should bring their own laptop to the course.

What students will be provided with

  1. Hand-outs of the presentations
  2. Work sheets and detailed solution descriptions of the use cases
  3. Templates: threat model, calculating risk levels of identified threats
  4. Certificate: Following a successful exam (passing grade defined at 70%) the student will receive certification for successful completion of course

Course outline

Threat modeling introduction for DevOps
Diagrams – what are you building?
Hands-on: diagram B2B web and mobile applications
Identifying threats – what can go wrong?
Hands-on: Threat identification as part of migrating to AWS
Addressing each threat
Hands-on: AWS threat mitigations for microservices
Practical threat modeling as part of the DevOps pipeline
Attack libraries
Hands-on: Building an attack library for CI/CD pipelines
Threat modeling resources
Threat modeling tools as part of the DevOps toolchain

Register now

LONDON | 16-17 OCT 2018

£1,500 GBP (excl. VAT)

2-in-1 Package: Booking of this training course includes a complimentary 2-day conference pass for DevSecCon London (18-19 Oct 2018)!

Payment methods

Pay by card (Eventbrite)

Please complete your registration on Eventbrite by selecting the ticket ‘Whiteboard hacking for DevOps Engineers + Regular 2-Day Pass ‘

Register now

Pay by bank transfer (invoice)

Email Updates

Terms & Conditions *

About the trainers

Sebastien Deleersnyder
Co-founder & managing partner application security, Toreon

Sebastien led engagements in the domain of ICT-security, Web and Mobile Security with several customers in the private and public sector. Sebastien is the Belgian OWASP Chapter Leader, served as vice-chair of the global OWASP Foundation Board and performed several public presentations on Web Application, Mobile and Web Services Security. Furthermore, Sebastien co-founded the yearly BruCON conference.

Steven Wierckx
Security Consultant, Toreon

Steven is a software and security tester with 15 years of experience in programming, security testing, source code review, test automation, functional and technical analysis, development, and database design, Steven shares his passion for web application security through writing and training on testing software for security problems, secure coding, security awareness, security testing, and threat modeling. He is the project leader for the OWASP Threat Modeling Project and organizes the BruCON student CTF. Last year, he spoke at Hack in the Box Amsterdam, hosted a workshop at BruCON and delivered threat modeling trainings at OWASP AppSec USA and O’Reilly Security New York.

Enquire now

Send us a message to find out more about our courses

I'm interested in: Real-World SecuritySecurity in the CloudDocker Security and Orchestration WorkshopPractical DevSecOps - Continuous Security in the age of cloud

This website uses cookies to ensure you get the best experience on our website More info

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.