Key points are not available for this paper at this time.
Architectural threat analysis plays a major role in addressing the growing risks from insecure software design but is rarely used in the industry.While several studies support this finding, none measure its use in open-source.To address this gap, we systematically mine GitHub repositories that apply threat analysis.We consider a selection of tools and languages.Moreover, we manually examine a subset to refine our results and assess the quality of the actual threat models.Based on these investigations, we paint a sobering yet important picture of the current state of open-source threat analysis.We further provide a comparison with the aforementioned research on industry use to highlight the peculiarities of opensource software and discuss its potential for security research.
Gruner et al. (Tue,) studied this question.