Hi,
My name is Avi Shaked and I’m a researcher at University of Oxford.
I believe threat modelling is significant to designing and delivering trustworthy systems. However, my observation is the threat modelling is rarely done in a systematic and sustainable way. In my research, I develop tools and mechanisms to support rigorous threat modelling and security by design, so that thy can be scaled and applied consistently across development efforts, organisations and even sectors (e.g., doing threat assessment with respect to policy), throughout the systems life cycle.
We have an open source threat modelling and security design tool, and in previous research established attack/threat-oriented design aspects using the tool and its underlying methodology as well as using it to integrate existing knowledge.
Our current effort, as part of the UK Digital Security by Design programme, introduces vulnerability management aspects into the security design and assessment. For this, we are looking for threat models that include the identification of either CWE weaknesses or CVE vulnerabilities with respect to specific system constituents. We are also looking for Software Bill of Materials (SBOMs) of real systems that include CPE identification of the constituents.
If you can provide such threat models (or SBOMs) and/or would like to collaborate to create/analyze such threat models, please approach me. We will keep information and specific results confidential unless agreed otherwise.
In general, I will be happy to assist any threat modelling efforts to employ the conceptual mechanisms and/or tools that I develop. Feel free to reach out!
Thank you,
Avi