2024 Course Announcements

As February is wrapping up, we wanted to share some exciting opportunities for the threat modeling and appsec community. The spring and summer seasons are a great time to level up your skills in a collaborative setting (with an added bonus of nice weather ??).

?

?? 2024 Archimedes Health Care Security Week

The Northeastern Archimedes Center for Health Care and Medical Device Cybersecurity will be hosting a Health Care Security Week from April 30-May 2 in New Orleans, LA!

?

Seats are still available for my upcoming, in-person Threat Modeling Essentials Course on Tuesday, April 30th. Like any of our Essentials courses, this training will be focused on the fundamentals of threat modeling, providing attendees the ability to more consistently and efficiently apply threat modeling using the Four Question Framework.

?

The medical device maker community includes a diverse range of professionals. From product engineers to regulatory enforcers, the intersection of cybersecurity and with so many parts of the business protects us from threats. And that’s why I’m excited to offer this training through Archimedes SPECIFICALLY for medical device manufacturing professionals whose work intersects medicine with cybersecurity.

?

As this course wis for medical device professionals, participants will work on a sample medical device during class, but FDA requirements will not be covered in depth.

?

Register for the event here, and make sure to register for the training separately! https://www.secure-medicine.org/https/www.secure-medicine.org/events/2024/trainingsessions-0

?? BlackHat USA 2024

BlackHat 2024 will take place from August 3-8, 2024, in Mandalay Bay, Las Vegas!

?

I am excited to announce that I’ll be leading two hands-on, interactive classes. You can choose to attend either the August 3-4 Threat Modeling Intensive class or the Aug 5-6 class. Students will start threat modeling early on day 1, followed by an understanding of traps that they might fall into, and then progressing through the Four Question Framework:?

• What are we working on?
• What can go wrong?
• What are we going to do about it?
• Did we do a good job?

This is capped off with an end-to-end exercise that brings the skills together. Learners will learn an arsenal of analysis techniques including DFDs, STRIDE and kill chains.

?

Whether you’re a seasoned veteran or just beginning to threat model, this Intensive is open for everyone. As long as you are a technical security professional looking to be more systematic and collaborative with product and service delivery teams, we are looking forward to seeing you.

?

Early bird pricing ends May 24, 2024, so sign up now to get that discount! https://www.blackhat.com/us-24/training/schedule/index.html#audience

?

?? Licensing Opportunities

The very first time I was asked to deliver threat modeling training I had no idea how. In 2015 I taught my first for-hire Threat Modeling class. I tried to do too much in too little time. Fast forward to 2024 - I’ve learned a fair bit about instructional design and teaching.?I've spent the last decade learning — and refining my Threat Modeling training.?In 2020 the pandemic forced me to consider how to effectively deliver my training virtually after years of not knowing how. Today, after working with instructional designers who helped me learn and develop different teaching and delivery methods, Shostack + Associates can deliver high quality training in-person, virtually, and through self-paced computer-based learning management systems.

?

At every step I’ve invested time, money, and deep thought into creating the best Threat Modeling training content. And I’m pleased to say that our clients always find it valuable.?Many clients invite my team and I back year after year to train their teams.

?

Creating good threat modeling content is time consuming. Let’s say you “only” spend ten minutes per minute of the course. A one-day course of 7 hours would be 70 hours of course design, or about 2 weeks. And as you do, you’re spending the exceptionally expensive time and goodwill of your engineers on your beta.

?

So, I’ll ask you or anyone in instructional design: Why not license ours? Much like adapting from in person to zoom, or live instruction to self-pace, the way we deliver can update and evolve.

?

Please reach out if you’re interested. We’re keen to adapt our content to best fit your practices.