Threat Modeling Workshop

A collaborative experience where we will learn basic threat modeling components by brainstorming and drawing altogether.

Threat Modeling is a great way to identify security risk by structuring possible attacks, bad actors and countermeasures over a broad view of the targeted system. Attendees will learn hands on examples of basic threat modeling concepts and how to use them effectively.

This workshop will be a collaborative experience with threat model content created with the audience. We will open the session with a quick introduction and round up of the tools that will be used: attack trees, flow diagrams and related open source software.

Attendees will be able to choose between three ways of getting involved:

  • Brainstorming; give your ideas to the whole group to model on a whiteboard.
  • Pen and papers; model the group brainstorm ideas and add your own.
  • Computer modeling; generate resulting models using code.

Participants will collectively decide on a system to model:

  • Cryptocurrency Desktop Wallet
  • Internet of Things Power Switch
  • Online Video Game Battle Royale
  • Anything else that the group is interested in
Participants should bring:

Pens and paper will be provided for everyone free of charge, we will use a whiteboard and participants can also bring their laptop.

Participants must know or have:

Any skill levels, zero to master knowledge about attack patterns, zero to master knowledge about computer systems. Participant will be able to take a role according to their skill level and enthusiasm.

No prior threat modeling experience is required.


Jonathan Marcil Application Security Engineer, Twitch

Jonathan has created over a hundred threat models during his career and enjoys sharing his experience. He currently leads the OWASP Media Project and is a board member of the OWASP Orange County chapter located in beautiful Irvine, California. Originally from Montreal, he was the local chapter leader and was part of NorthSec CTF as a challenge designer specialized in Web and imaginative contraptions. He is passionate about Application Security and enjoys architecture analysis, code review, threat modeling and debunking security tools. Jonathan holds a bachelor's degree in Software Engineering from ETS Montreal and has more than 15 years of experience in Information Technology and Security.