Course Summary

The Certified Threat Modeling Professional (CTMP) its a Vendor-neutral threat modeling training Program.

This course is targeted towards individuals interested in learning and implementing industry security best practices around Threat modeling.

Upon completion of this Threat Modeling training course, you will be able to understand:

• Basics of Threat modeling from a business perspective.
• Major components in Agile Threat Modeling
• How to create and maintain Threat Modeling practice.
• Creating and maintaining threat models.
• Facilitating threat modeling sessions with a larger audience

Module 1: Threat Modeling Overview
• What is Threat Modeling?
• The Threat Model Parlance
• Security is a Balancing Act
• Design Flaws and Risk Rating
• Why Threat Model?
• Threat Modeling vs. Other Security Practices
• Threat Modeling Frameworks and Methodologies
• List/Library Centric Threat Modeling
• Asset/Goal Centric Threat Modeling
• Threat Actor/Attacker Centric Threat Modeling
• Software Centric Threat Modeling
• Trust Boundaries vs. Attack Surfaces
• Modern Threat Modeling Approaches for Agile and DevOps
• Risk Management Strategies with Examples
• Avoiding Risks
• Accepting Risks
• Mitigating Risks
• Transferring Risks

Module 2: Threat Modeling Basics
• Threat Modeling and Security Requirements
• Threat Modeling vs Threat Rating
• Diagramming for Threat Modeling
• List Centric Threat Modeling
• Exploring the STRIDE Model
• Spoofing
• Tampering
• Repudiation
• Information Disclosure
• Denial of Service
• Elevation of Privileges
• Pros and Cons of STRIDE
• STRIDE defenses
• Authentication
• Integrity
• Non-Repudiation
• Confidentiality
• Availability
• Authorization
• STRIDE Threat examples
• Goal/Asset Based modeling Approach
• Attack Trees
• Attack Tree Analysis
• Attacker/Threat Actor Centric Modeling Approach
• Using MITRE ATT&CK for Attacker Centric Threat Modeling
• Software Centric Threat Modeling
• Other Threat modeling methodologies
• PASTA
• VAST
• Hybrid Threat modeling
• RTMP
• OCTAVE
• Gamified approaches for Threat Modelling
• Virtual Card Games
• Adversary Card Games
• Introduction to Threat Rating
• DREAD
• OWASP Risk Rating Methodology
• Bug Bar
• Rapid Risk Assessment

Module 3: Agile Threat Modeling
• Agile Threat Modeling Approaches
• Threat Modeling Diagrams as Code
• Threat Modeling Inside The Code
• Threat Modeling as Code
• Compliance and Audit as Code
• Rapid Threat Model Prototyping
• Security Requirements as Code With BDD Security
• Events of Agile Software Development Through Scrum
• Writing Security Requirements for Agile Software Development
• Writing Use Cases and Abuse Cases
• Privacy Impact Assessments and Security Requirements
• Identifying Privacy Related Threats

Module 4: Reporting and Deliverables
• How To Manage Threat Models
• Documentation
• Backlog
• Bugs, and Tickets
• Code
• Automation
• Threat Modeling Tools and Templates
• Microsoft Threat Modeling Tool
• OWASP Threat Dragon
• CAIRIS Platform
• Threat Modeling As Code Tools
• Freemium Tools
• Threat Model Templates and Examples
• Validating Threat Models
• Threat Model Versus Reality
• All Threats Accounted For Risk
• Mitigations Are Tested
• Are We Done Threat Modeling?

Module 5: Secure Design Principles and Threat Modeling Native, and Cloud Native Applications
• Exploring Principles of Secure Design with Examples
• Principle of Economy of Mechanism
• Principle of Fail Safe Defaults
• Principle of Complete Mediation
• Principle of Open Design
• Principle of Separation of Privilege
• Principle of Least Privilege
• Principle of Least Common Mechanism
• Principle of Psychological Acceptability

Course participants should have knowledge of basic security fundamentals like Confidentiality, Integrity, and Availability (CIA). Basic knowledge of application development is preferred but is not necessary.

Certified Threat Modeling Professional Exam Duration: 6 hours Exam type: Practical/labs Number of tasks: 5 Passing score: 80%

Following your booking, a confirmation message will be sent to all participants, ensuring you're well-informed of your successful enrollment. Calendar placeholders will also be dispatched to assist you in scheduling your commitments around the course. Rest assured, all course materials and access to necessary labs or platforms will be provided no later than one week before the course begins, allowing you ample time to prepare and engage fully with the learning experience ahead.

Our comprehensive training package includes all the necessary materials and resources to facilitate a full learning experience. Enrollees will be provided with detailed course content, encompassing a wide array of topics to ensure a thorough understanding of the subject matter. Additionally, participants will receive a certificate of completion to recognize their dedication and hard work. It's important to note that while the course fee covers all training materials and experiences, the examination fee for certification is not included but can be purchased separately.

Questions About This Course?