Finding a Needle in a Haystack: Threat Analysis in Open-Source Projects

2024
SANER Workshop on Mining Software Repositories for Privacy and Security

Authors: Bernd Gruner and Sebastian Heckner and Tim Sonnekalb and Badr-Eddine Bouhlal and Clemens-Alexander Brust

Abstract: Architectural threat analysis plays a major role in addressing the growing risks from insecure software design but is rarely used in the industry. While several studies support this finding, none measure its use in open-source. To address this gap, we systematically mine GitHub repositories that apply threat analysis. We consider a selection of tools and languages. Moreover, we manually examine a subset to refine our results and assess the quality of the actual threat models. Based on these investigations, we paint a sobering yet important picture of the current state of open-source threat analysis. We further provide a comparison with the aforementioned research on industry use to highlight the peculiarities of open-source software and discuss its potential for security research.