• jetA
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    1
    ·
    edit-2
    6 months ago

    Start off with the basics of how to do threat modeling. Capability mapping.

    Then use open source projects as examples of how to map out capabilities and how they fit into your illustrated threat models

    Do a basic overview of how a computer works, or how a phone works would be more relevant nowadays I guess, what the different components of the phone are, what is microcode, what is BIOS, what goes into a driver, how a kernel works, all the privileges and threats involved. That is a very healthy exercise for people to be aware of the trade-offs of using something open source with closed source blobs in the kernel versus purely closed source etc

    An illustrative example. When you send a sext which software, which drivers, which organizations, which code, gets access to the privileged and sensitive information all the way down the stack