Building and Running Security Exercises presented at CircleCityCon 2017

by Wolfgang Goerlich,

Summary : Everyone is talking about threat modeling. And a few are talking about security exercises. But when you get down to it, practically no one does either. The reasons are simple: modeling can be complicated, there is conflicting information, and it is not clear what to do with the finished model. This session presents a pragmatic threat modeling exercise that can be accomplished in an afternoon. We will review how to find sources for threat models, communicating the findings, auditing and assessing the available controls, and driving change within the organization. In sum, this training presents a practical approach to rapidly getting the most from threat modeling and running security exercises.