Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/equinor/appsec-fundamentals-threatmodeling-101-workshop
A full day workshop for DevOps teams on the topic of threat modeling
https://github.com/equinor/appsec-fundamentals-threatmodeling-101-workshop
appsec documentation threat-modeling workshop
Last synced: about 2 months ago
JSON representation
A full day workshop for DevOps teams on the topic of threat modeling
- Host: GitHub
- URL: https://github.com/equinor/appsec-fundamentals-threatmodeling-101-workshop
- Owner: equinor
- License: mit
- Created: 2023-11-07T11:41:29.000Z (about 1 year ago)
- Default Branch: main
- Last Pushed: 2023-11-30T06:55:34.000Z (about 1 year ago)
- Last Synced: 2023-11-30T08:41:20.270Z (about 1 year ago)
- Topics: appsec, documentation, threat-modeling, workshop
- Homepage:
- Size: 1.42 MB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Security: SECURITY.md
Awesome Lists containing this project
README
# AppSec Fundamentals - Threat modeling 101 workshop
[](https://opensource.org/licenses/MIT)
[](/CONTRIBUTING.md)
[](CODE_OF_CONDUCT.md)
A full day threat modeling 101 workshop from the Equinor AppSec team!
## Purpose
>Help teams build and operate more secure systems by incorporating threat modeling into their daily work.
## Context
Threat modeling is often cited as the practice with greatest impact on strengthening teams security posture. Very few teams practice structured threat modelling. In this workshop you will get a basic introduction to threat modeling for a software development project. We do this by working on a sample web project and explore both the software development lifecycle as well as the solution we build. Context matters. All models are wrong. Some models are useful. The most important threat modelling is the one you do now! Get started. Just do it :)
## Audience
Software Development Teams. We suggest running the 101 workshop with teams, preferably the whole team. We may combine several teams in a workshop. A good size for a workshop seems to be > 10 and < 20.
## Outline
The workshop outline looks like this:
- Threat modeling introduction
- What are we working on?
- What can go wrong?
- What are we going to do about it?
- Did we do a good job?
- Threat modeling the SDLC
- Getting started with Threat modeling in your team
- Wrapping up
## Running the workshop
We usually follow the steps described i [admin](./admin/readme.md) section. We prefer physical workshop, using pen and paper. The Admin section mentioned hands-outs and the physical stuff like pens, rulers etc. We also have virtual adaptions of the workshop using Miro.
We typically run the workshop by opening up slides from [https://equinor.github.io/appsec-fundamentals-threatmodeling-101-workshop](https://equinor.github.io/appsec-fundamentals-threatmodeling-101-workshop). Alternatives are using the LiveServer in VS Code or using the Docker version of the slides.
## Non Equinor adaptions
The workshop makes a few references to internal Equinor teams and offerings. These should be adapted to your context.
### Admin
This is the checklist for those who runs the workshop. Adapt to your context.
## Slack
We use a specific internal Slack channel for sharing workshop content. This channel is open to our developer community and servers as collective memory of our threat modeling journey.
### Intro
There is a slide on the **Equinor AppSec team** which drives this effort in Equinor. This is also where the instructors introduce themselves. Change this one to represent your context
There is a slide on **Practicalities**. Adapt this to your context
### Wrap-up
There is a slide on **Engaging the appsec team and the community**. Adapt this to your context
There is a slide on **Thank You**. Adapt this to your context