Threat Modeling Intensive Training
The Center for Medical Device Cybersecurity (CMDC) is excited to sponsor a medical device-centered offering of Adam Shostack’s popular Threat Modeling Intensive. Attendees will learn how to consistently and efficiently apply threat modeling using the Four Question Framework. The course includes a mix of hands-on exercises, discussions, and lectures (available in video before and after the course). The focus will be on fundamental skill development.
Attendees are usually a mix of product engineers, security engineers, product managers, and regulatory professionals. They're generally mid-career or more senior.
This course does not require any prior threat modeling training. Product delivery experience is recommended.
- CMDC Member Organizations: significant discount (contact email@example.com for discount total and unique coupon code)
- General: $3400
- June 21-22, 2023
- 9 AM – 5 PM each day, with networking event after day 1
This course is designed to train product engineers, security engineers, product managers, and regulatory professionals in threat modeling, including different ways to address the questions we ask, and to select the skills they should bring to bear.
This is a 2-day learning event. Learners will spend 8 hours in class on both days. There will be a 1-hour lunch break and 15-minute breaks during the morning and afternoon sessions.
Prior to the first day of the course you will be enrolled in 'Shostack + Associates' Learning Management system where you will find copies of the recorded lectures, some of which we will use during the course, as well as optional videos that will allow you to explore the course topics in greater detail. We encourage you to watch them ahead of time to facilitate deeper in-class conversations.
- 9:00am - Introductions and Goals
- 10:00am - Threat Modeling Exercise - cards hands-on
- 10:30am - 15 Minutes Break
- 10:45am - What are we working on
- 12:00pm - Lunch: 60 Minutes to eat and recharge
- 1:00pm - What can go wrong 1: STRIDE
- 2:30pm - 15 Minutes Break
- 2:45pm - What are we going to do about it?
- 4:45pm - Day summary and close
- 9:00am - Check in, open questions
- 9:15 - What can go wrong 2: Kill chains
- 11:15 - 15 Minutes Break
- 11:30 - Mitigate: Risk management
- 12:00 - Lunch: 60 Minutes to eat and recharge.
- 1:00 - Did we do a good job
- 2:00 - End to end threat model exercise
- 2:15 - 15 Minutes Break
- 3:15 - Documenting, bringing to our work
- 4:15pm - Final questions, close
1. Discuss your end-to-end threat model with your peers.
2. Discuss the course with your supervisor: how will you apply what you learned?
3. Do a threat model with your peers, and don’t skimp on the retrospective.
4. Discuss the course with your peers: should we change our processes?
Best Hotel for Travelers - The Graduate Hotel, Minneapolis
The Graduate Hotel is located in the middle of the Minneapolis-East Bank Campus, just a few minutes walk to the classroom. There is no block, so reserve rooms early! For booking and more information visit their website here.