Start off with the basics of how to do threat modeling. Capability mapping.
Then use open source projects as examples of how to map out capabilities and how they fit into your illustrated threat models
Do a basic overview of how a computer works, or how a phone works would be more relevant nowadays I guess, what the different components of the phone are, what is microcode, what is BIOS, what goes into a driver, how a kernel works, all the privileges and threats involved. That is a very healthy exercise for people to be aware of the trade-offs of using something open source with closed source blobs in the kernel versus purely closed source etc
An illustrative example. When you send a sext which software, which drivers, which organizations, which code, gets access to the privileged and sensitive information all the way down the stack
Start off with the basics of how to do threat modeling. Capability mapping.
Then use open source projects as examples of how to map out capabilities and how they fit into your illustrated threat models
Do a basic overview of how a computer works, or how a phone works would be more relevant nowadays I guess, what the different components of the phone are, what is microcode, what is BIOS, what goes into a driver, how a kernel works, all the privileges and threats involved. That is a very healthy exercise for people to be aware of the trade-offs of using something open source with closed source blobs in the kernel versus purely closed source etc
An illustrative example. When you send a sext which software, which drivers, which organizations, which code, gets access to the privileged and sensitive information all the way down the stack