Implementing software supply chain threat modeling requires both the models and the data. In this session, we will discuss linking data from security reporting, such as SBOMs and CVEs, to the threat models to make them actionable. Software Supply Chain threat modeling requires various types of key data, including but not limited to:
• information about the software components themselves, such as dependencies, versioning, vulnerabilities, and origins;
• data on the development environment, including tools, repositories, and access controls;
• details about the distribution and deployment processes mechanisms and configuration setting;
• information on potential threat actors, their motives, and capabilities.
By analyzing these data points, organizations can better understand the potential risks associated with open-source in their software supply chain and implement appropriate mitigation and continuous monitoring to enhance security. The MITRE Attack Framework, SPDX, OpenSSF Score Card, CoSign, and Ortelius as the central evidence store for tracking threat modeling data will be included in this presentation.