A day in the life of our trainee Mouhcine

It’s Thursday, June 10, I have one of my first ‘ride-alongs’ for a threat model session with a client. A threat model is a product/service that Toreon provides to find vulnerabilities and threats in a client’s application (e.g., web application with backend, frontend and database servers). 

We start at 9 A.M. with a Kick-off meeting in which we give a small introduction about ourselves in order to get familiarized with each other. Next, my colleague gives a brief presentation about what threat modelling is and why companies should implement this for a secure development lifecycle. Questions such as “What the doomsday scenarios could be” and “What type of impact a security breach can have on a company” were asked to which the client responded with a couple of examples. This concluded the first hour. We took a one-hour break because one of the clients had another meeting scheduled and agreed to continue at 11 A.M.  

During this intermission I did some (extra) research on the company to get a better understanding of their product. This could be helpful when the actual threat model diagram is being drawn. 

The threat model session continues at 11 A.M. This time my colleague starts drawing the Data Flow Diagram (DFD) which maps out the flow of information for any process and system. In this case, the diagram was drawn for the client’s web application including frontend and backend servers, databases, message bus for internal communication, etc. With this diagram, my colleague will be able to identify the possible threats and vulnerabilities in a later stage. This meeting lasted until 12.40am after which I had my lunch break until 13.30 P.M. 

From 1.30-3 P.M. I was given the task to clean up the diagram and add some extra features (trust boundaries, these represent the change of trust levels as the data flows through the application). Additionally, I had to integrate these trust boundaries in STRIDE (= identifying threats) so that my colleague can use this for the threat model analysis. 

At 3 P.M. I attended a short meeting with other colleagues and a supplier for an application that Toreon wants to use. We discussed some technical details that we would like to see being implemented in the application. 

At the end of the workday, I had some time left to study for my Microsoft 365 fundamentals certification, which is a must-have as a trainee because it belongs to a trainee’s curriculum. This is also helpful in case you want to work with Microsoft products inside Toreon after you ‘graduate’ as a trainee. 

Mouhcine, clocking off.