Home » Courses » Software Engineering » Software Security » Software Security and Threat Modeling Workshop

Software Security and Threat Modeling Workshop

Length: 2 Days
Print Friendly, PDF & Email

Software Security and Threat Modeling Workshop by Tonex

Software Design, Test, and Evaluation (DT&E) Training

The Software Security and Threat Modeling Workshop is a hands-on, immersive 2-day training that equips developers, security professionals, and architects with the essential skills to build secure software from design through deployment. Participants will learn to identify and mitigate software security threats using proven methodologies such as threat modeling, secure design patterns, and DevSecOps practices. The course covers key topics including API security, secure coding, OWASP Top 10 vulnerabilities, cloud security best practices, and the role of Software Bill of Materials (SBOM) in supply chain security.

The workshop blends theoretical instruction with real-world case studies, hands-on labs, and interactive exercises to ensure a practical understanding of security fundamentals and their application in modern development environments.

Learning Objectives

By the end of this workshop, participants will be able to:

  • Understand and apply threat modeling techniques such as STRIDE and DREAD to identify risks in software architectures.
  • Integrate secure design principles into software architecture and design processes.
  • Implement secure coding practices that prevent common vulnerabilities including injection, authentication flaws, and insecure deserialization.
  • Identify and mitigate vulnerabilities listed in the OWASP Top 10 and API Security Top 10.
  • Apply API security best practices to protect against unauthorized access, data leakage, and abuse.
  • Implement Secure DevOps (DevSecOps) workflows to integrate security into CI/CD pipelines.
  • Understand foundational cloud security concepts and apply cloud-specific best practices to secure services and data.
  • Create and interpret a Software Bill of Materials (SBOM) to manage third-party and open-source component risks.
  • Evaluate the security posture of applications using tooling and manual analysis, and recommend mitigations.
  • Design secure architectures and communicate threat modeling outcomes to stakeholders effectively.

Target Audience

This workshop is designed for:

  • Software Engineers and Developers seeking to enhance their secure coding and design practices.
  • Security Engineers and Analysts involved in application security assessments or DevSecOps integration.
  • Software Architects and System Designers responsible for secure system architecture.
  • DevOps and Cloud Engineers integrating security into pipelines and cloud environments.
  • Product Managers and Technical Leads who need to understand and prioritize software security risks.
  • Compliance Officers and Risk Managers involved in SBOM, supply chain security, and regulatory adherence.

Course Modules:

Day 1: Foundations of Secure Software Design

  1. Welcome and Workshop Overview
  • Objectives and outcomes
  • Icebreaker: Security breach stories
  1. Introduction to Threat Modeling
  • What is Threat Modeling?
  • STRIDE and DREAD frameworks
  • How to model a system using Data Flow Diagrams (DFDs)
  • Hands-on: Model a basic web application
  1. Secure Design Concepts
  • Principles of secure design (Least Privilege, Defense in Depth, Fail Securely)
  • Common design flaws
  • Architecture review strategies
  • Case Study: Analyzing a flawed system design
  1. OWASP Top 10 Deep Dive
  • Overview of OWASP Top 10 (latest edition)
  • Real-world examples and exploitation walkthrough
  • Mapping threats to architecture
  • Mini-lab: Identify OWASP Top 10 vulnerabilities in sample code
  1. Secure Coding Best Practices
  • Input validation and output encoding
  • Authentication and session management
  • Secure error handling and logging
  • Secure use of cryptography
  • Hands-on lab: Code hardening exercises

Day 2: Applied Software Security & DevSecOps

  1. API Security Best Practices
  • Security challenges with RESTful APIs
  • Authentication (OAuth2, JWT), rate limiting, and input validation
  • Managing exposed endpoints and attack surfaces
  • Tools: OWASP API Security Top 10
  • Lab: Secure an intentionally vulnerable API
  1. Secure DevOps (DevSecOps)
  • Integrating security into CI/CD
  • Security-as-Code: Tools and pipelines (e.g., Snyk, SonarQube, Trivy)
  • Secrets management (Vault, KMS)
  • Hands-on: Build a DevSecOps CI pipeline snippet
  1. Introduction to Cloud Security
  • Shared Responsibility Model (AWS, Azure, GCP)
  • Identity and access management (IAM) best practices
  • Secure storage and data encryption
  • Cloud misconfigurations and how to detect them
  • Case Study: Cloud data breach post-mortem
  1. Introduction to SBOM (Software Bill of Materials)
  • What is an SBOM and why it matters
  • Components and standards (CycloneDX, SPDX)
  • SBOM generation tools (Syft, Anchore)
  • Use in vulnerability detection and supply chain security
  • Demo: Creating and analyzing an SBOM
  1. Capstone Exercise: Threat Model and Defend
  • Participants choose an app/system
  • Create a DFD, identify threats, map to OWASP/API Top 10
  • Propose secure design, DevSecOps pipeline, and generate SBOM
  • Present findings

Request More Information