Address OSPS-SA-03.02 security baseline requirement.
Requirement: When the project has made a release, the project MUST perform a threat modeling and attack surface analysis to understand and protect against attacks on critical code paths, functions, and interactions within the system.
Recommendation: Threat modeling is an activity where the project looks at the codebase, associated processes and infrastructure, interfaces, key components and "thinks like a hacker" and brainstorms how the system be be broken or compromised. Each identified threat is listed out so the project can then think about how to proactively avoid or close off any gaps/vulnerabilities that could arise. Ensure this is updated for new features or breaking changes.
Control applies to: Maturity Level 3
External Framework Mappings
BPB: B-S-8, S-G-1
CRA: 1.1, 1.2j, 1.2k, 2.2
SSDF: PO.5.1, PW.1.1
CSF: ID.RA-01, ID.RA-04, ID.RA-05, DE.AE-07
ISO-18974: 4.1.5
OpenCRE: 068-102, 154-031, 888-770
PSSCRM: G4.3, G5.2, P2.1
SAMM: Governance -Create and Promote Lvl1, Design -Threat Assessment -Application Risk Profile Lvl1, Design -Threat Assessment -Threat Modeling Lvl1, Verification -Architecture Assessment -Architecture Mitigation Lvl2
PCIDSS: 2.2.4, 2.2.5, 2.2.6, 6.2.1, 6.2.3.1, 6.3.2, 6.4.2, 11.3.1, 12.3.1
UKSSCOP: 1.4, 3.3
800-161: CA-2, CA-2(3), PM-30, RA-3, SA-11, SA-15, SA-15(3), SA-15(8), SI-3, SR-3, SR-3(3), SR-6, SR-7
https://baseline.openssf.org/versions/2025-10-10#osps-sa-0302
Address OSPS-SA-03.02 security baseline requirement.
Requirement: When the project has made a release, the project MUST perform a threat modeling and attack surface analysis to understand and protect against attacks on critical code paths, functions, and interactions within the system.
Recommendation: Threat modeling is an activity where the project looks at the codebase, associated processes and infrastructure, interfaces, key components and "thinks like a hacker" and brainstorms how the system be be broken or compromised. Each identified threat is listed out so the project can then think about how to proactively avoid or close off any gaps/vulnerabilities that could arise. Ensure this is updated for new features or breaking changes.
Control applies to: Maturity Level 3
External Framework Mappings
BPB: B-S-8, S-G-1
CRA: 1.1, 1.2j, 1.2k, 2.2
SSDF: PO.5.1, PW.1.1
CSF: ID.RA-01, ID.RA-04, ID.RA-05, DE.AE-07
ISO-18974: 4.1.5
OpenCRE: 068-102, 154-031, 888-770
PSSCRM: G4.3, G5.2, P2.1
SAMM: Governance -Create and Promote Lvl1, Design -Threat Assessment -Application Risk Profile Lvl1, Design -Threat Assessment -Threat Modeling Lvl1, Verification -Architecture Assessment -Architecture Mitigation Lvl2
PCIDSS: 2.2.4, 2.2.5, 2.2.6, 6.2.1, 6.2.3.1, 6.3.2, 6.4.2, 11.3.1, 12.3.1
UKSSCOP: 1.4, 3.3
800-161: CA-2, CA-2(3), PM-30, RA-3, SA-11, SA-15, SA-15(3), SA-15(8), SI-3, SR-3, SR-3(3), SR-6, SR-7
https://baseline.openssf.org/versions/2025-10-10#osps-sa-0302