Craft Conference is cancelled.   More info

Steven Wierckx

Application Security Consultant at Toreon


Hands-On Threat Modeling and Tooling for DevSecOps
Wednesday 9:00 - 17:00 -
threat modelling
threat modeling
secure development lifecylce
secure architecture
secure disgn
privacy by design
Your rating:

Toreon proposes an action-packed 1-day Threat Modeling course specifically for DevOps Engineers to improve reliability and security of delivered software. We will teach an iterative and incremental threat modeling method that is integrated in the development and deployment pipeline.  As speed of delivery is crucial with shorter development cycles, increased deployment frequency, and more dependable releases we focus on a risk-based unified threat modeling practice that is in close alignment with business objectives.

The training material and hands-on workshops with real life use cases are provided by Toreon. The students will be challenged to perform practical threat modeling in squads of 3 to 4 people covering the different stages of threat modeling on an incremental business driven CI/CD scenario:

·         Sprint 1: Modeling a hotel booking web and mobile application, sharing the same REST backend

·         Sprint 2: Threat identification as part of migrating the booking system application to AWS

·         Sprint 3: AWS threat mitigations for the booking system build on microservices

·         Sprint 4: Building an attack library for CI/CD pipelines


Steven Wierckx is an application security consultant with 20 years of experience in programming, security testing, source code review, test automation, functional and technical analysis, development, and database design, Steven shares his passion for the secure development lifecycle through writing and training on testing software for security problems, secure coding, security awareness, security testing, and threat modeling. He is the co-project leader for the OWASP Threat Modeling Project and organizes the BruCON student CTF. He spoke at Hack in the Box Amsterdam, hosted workshops at BruCON and DevSecCon (UK) and delivered threat modeling trainings at OWASP AppSec USA, OWASP AppSec Israel, BruCON and O’Reilly Security New York.