SecAppDev 2022 Workshop Details

Hands-on threat modeling

Sebastien Deleersnyder
Thursday June 16, 09:00 - 17:00

This is a Threat Modeling course for DevOps Engineers to improve reliability and security of delivered software. We will teach an iterative and incremental threat modeling method.

You will perform threat modeling in 4 sprints. Exercises are built upon a fictional system, migrating a legacy system towards a cloud application:

  • Modeling a hotel booking web and mobile application, sharing a REST backend
  • Threat identification as part of migrating the system to AWS
  • AWS threat mitigations for the booking system build on microservices
  • Building an attack library for CI/CD pipelines

  • Threat modeling introduction
  • Diagramming
  • Identifying threats
  • Addressing threats
  • Practical threat modeling
  • Threat modeling resources
Learning goal

Cover the 4 main steps of creating and updating an effective threat model and use threat modeling as part of the secure design of systems

Content level


Target audience

Software developers, architects, product managers, incident responders, and security professionals


Basic IT knowledge of web and mobile applications, databases & single sign-on (SSO) principles

Technical requirements

Bring your own tablet or laptop to get access to our learning platform with all the handouts and solutions.

Sebastien Deleersnyder

Sebastien Deleersnyder

CTO, Toreon

Sebastien (Seba) Deleersnyder is co-founder and CTO of Toreon. He started the Belgian OWASP chapter and was an OWASP Foundation Board member. With a development background and years of security experience, he has trained countless developers to create more secure software. Leading OWASP projects such as OWASP SAMM, he has genuinely helped make the world a safer place. What’s he currently up to? Right now, he’s busy adapting application security models to the evolving field of DevOps and is also focused on getting the word out on Threat Modeling to a broader audience.

Full speaker profile

Related security processes sessions

Solid foundation for a secure future

Lecture by Jaya Baloo

How do we build a better future for information security? This session will discuss the importance of security, along with a path towards a more secure future.

Security processes Wednesday June 15, 16:00 - 17:15

Everything-as-Code - Ideas for a new world of AppSec

Lecture by Abhay Bhargav

Showcasing techniques, tools and practices that underscore and highlight concepts of security-as-code for application security.

Security processes Tuesday June 14, 11:00 - 12:30

Enterprise security architecture and app development

Lecture by Stefaan Van daele

Developing secure code is a good start, but what more could you do from security point of view? This session puts secure application development in the context of an Enterprise Security Architecture model and illustrates how these two processes interact.

Security processes Monday June 13, 11:00 - 12:30

Level up your threat modeling practice

Lecture by Sebastien Deleersnyder

We pulled together our threat modeling vision and strategy with OWASP best practices to create a 'Threat Modeling Playbook'. It shows you how to turn threat modelling into an established, reliable practice.

Security processes Tuesday June 14, 14:00 - 15:30

Persona-based security and threat-modeling

Lecture by Deepak Subramanian

The session will include a presentation about persona-based security leading to persona-based threat modeling. If time permits a small exercise would be held to do a persona-based organizational threat model.

Security processes Wednesday June 15, 14:00 - 15:30