“Threat modeling is very formal, it’s very technical, and also very hard to do correctly”: Investigating Threat Modeling Practices in Open-Source Software Projects

Abstract

Vulnerabilities in open-source software (OSS) projects can potentially impact millions of users and large parts of the software supply chain. Rigorous secure design practices, such as threat modeling (TM), can help identify threats and determine and prioritize mitigations early in the development lifecycle. However, there is limited evidence regarding how OSS developers consider threats and mitigations and whether they use established TM methods.

Our research is the first to fill this gap by investigating OSS developers’ TM practices and experiences. Using semi-structured interviews with 25 OSS developers, we explore participants’ threat finding and mitigation practices, their challenges and reasons for adopting their practices, as well as desired support for implementing TM in their open-source projects. Because OSS development is often a volunteer effort, decentralized, and lacking security expertise, more structured TM methods introduce additional costs and are perceived as having limited benefit. Instead, we find almost all OSS developers conduct TM practices in an ad hoc manner due to the ease-of-use, flexibility, and low overhead of this approach. Based on our findings, we provide recommendations for the OSS community to better support TM processes in OSS.

Reference

@inproceedings{conf/usenix/kaur25,
 author = {Kaur, Harjot and 
Powers, Carson and 
Thompson III, Ronald E. and 
Fahl, Sascha and
Votipka, Daniel },
 booktitle = {34th USENIX Security Symposium (USENIX Security 25)},
 month = {August},
 publisher = {USENIX},
 title = {“Threat modeling is very formal, it’s very technical, and also very hard to do correctly”: Investigating Threat Modeling Practices in Open-Source Software Projects},
 year = {2025}
}