Ralph Andalis
Ralph is a Senior Pentester for a confidential company somewhere in the Middle East. Before that, he was a Senior Security Engineer at Microsoft where he deals with security architecture reviews, security design reviews, threat modelling, security research, code reviews, and pentesting on the dedicated product he is directly working on with 100+ software engineers. He has 10 years experience in the industry as a Security Consultant/Pentester/Security Researcher who recently served as a Security Consultant in a well-acknowledged global information security assurance firm called NCC Group. His expertise is mainly Web, Mobile, and Network Pentesting, Threat Modeling, Security Architecture Review, and Security Design Reviews. Prior to that, he was a pioneer Application Security Consultant for Fwdsec, a Cyber Threat Management Consultant at Ernst & Young (EY) with the experience of being sent abroad for client engagements upon client request. He started his career as a Security Researcher at Hewlett-Packard Fortify with focus on Mobile Application Security particularly with Android and iOS.
He is also a major active contributor and a member of the working group for the OWASP Application Security Verification Standard (ASVS) project, making the standard better for fellow pentesters and developers alike. Whenever he has spare time, he volunteers giving Web, Mobile Application Security and Threat Modelling lectures to university students as part of being a thought leader in the security community and outreach to students. You can also find him as a regular conference volunteer staff for some premium and well-known security conferences, namely: CanSecWest, REcon and Ringzer0 Training.
He trained attendees at BSides Vancouver 2025 and BSides Orlando 2025 for the same workshop, "Threat Modelling Starter Training" which had been well received. He has presented his talk entitled, "OWASP ASVS: A Methodical and Practical Approach to Application Security Testing" on OWASP AppSec Pacific Northwest conference (PNW) 2024 on June 15-16, 2024 in Vancouver, BC Canada. He has also presented a similar presentation aimed for beginners delivered online at HackStop Cybersecurity Summit 2024 on March 21-22, 2024 held in Ljubljana, Slovenia.
He earned his Computer Science degree from Ateneo de Naga University - one of the best top tier schools in the Philippines. His bachelor degree thesis was awarded in a National IT Conference last 2015 as one of his top accomplishments during that time aside from being a consistent Dean's List award as well.
Session
This threat modelling training is geared towards beginner to intermediate audiences with software engineering and security engineer/pentester backgrounds who have never done any sort of threat modelling work but are trying to get into it. Practically, anyone can join this class even if they do not have those backgrounds, but at least some basic idea of how programs work on a code level, basic cyber security issues and threats and anybody interested in learning them.
The main goal of this training is to equip participants with understanding the importance of threat modelling in dealing and understanding cyber threats to their applications and networks. The trainer's goal is to prevent more software security bugs from inception by teaching students whether they build more secure software or find underlying security flaws and bugs and minimizing the risks and impact of the engineered software. Participants will be immersed with the popular STRIDE and DREAD methodologies for threat modelling, increasing growing popular PASTA methodology, and they will create their own threat models during the training.
At the end of the training, students shall expect themselves to be able to do a quick threat model of any function/method that they wish to implement in their software, realize the threats that they could introduce or deal with, and finally be able to write a full and complete threat model on their own from start to finish including recommendations, threat scenarios and related risk ratings.