Explore the art of identifying attack surfaces and securing open source code through threat modeling in this 37-minute conference talk by Aviv Sasson and Daniel Prizmant from Palo Alto Networks. Discover the importance and benefits of threat modeling for open source projects, and learn how attackers utilize this technique to find vulnerabilities. Dive into the technicalities of the threat modeling process, including setting clear objectives, understanding application functionality, and identifying potential vulnerabilities using frameworks like CWE and STRIDE. Gain insights from real-world examples of vulnerabilities found in major open source projects, and understand the challenges of supply chain attacks, outdated libraries, and legacy code. Learn about mitigation strategies and the limitations of security products while acquiring practical knowledge to enhance the security of open source software.
Securing Open Source Through Threat Modeling
Overview
Syllabus
Introduction
Agenda
What is Threat Modeling
Why should we do Threat Modeling
Threat Modeling 101
Threat Modeling in the Beginning
Advanced Threat Modeling
Known vs unknown vulnerabilities
Setting clear objectives
Understanding how the application works
What can go wrong
CWE
OSS Top 10
Stride
Verification
Supply Chain Attacks
What is Supply Chain Attack
Outdated Libraries
You are not the target
OpenSSL
Informationally
Legacy code
Automatic tools
Mitigation
Problems with security products
Summary
Taught by
Linux Foundation
Tags
Related Courses
-
An Agile Approach to Threat Modeling for Securing Open Source Projects - EdgeX Foundry Case Study
-
Evolving Threat Modeling Through the Open Threat Model Format
-
Topics of Interest - Agile Threat Modeling with Open-Source Tools
-
Threat Modeling - Key Methodologies and Applications from OSS CIP Perspective
-
Hidden Vulnerabilities in Open Source
-
Insane in the Supply Chain - Threat Modeling for Attacks on AI Systems
