Threat Modeling and Incident Response in OpenSSL-Based Systems

OpenSSL is everywhere, powering secure communication in the systems we rely on daily. However, that reach also makes it a prime target for attackers. In this session, we will walk through how to use threat modeling, with a focus on STRIDE and attack trees, to uncover weak spots and vulnerabilities in OpenSSL-based systems before attackers do. We will look at where vulnerabilities tend to creep in, from unsafe defaults and risky configurations to flawed assumptions in system design. I will also share what a solid incident response plan looks like when cryptographic components are involved, especially under standards like FIPS 140-3. Whether you are writing code, securing infrastructure, or preparing for the next zero-day, you will leave with practical strategies to reduce risk and respond more effectively when something breaks.