Module SDD-08 — Threat Modeling Harness Stack

Threat Modeling Harness Stack

The continuous, design-time threat-modeling pipeline: Terraform/OpenAPI/draw.io ingestion, ground-truth DFD generation in Mermaid, STRIDE automation with LLM enrichment.

45
minutes
8
artifacts
3
sub-sections
The harness that turns threat modeling from a decaying quarterly whiteboard ritual into a continuous, evidence-grounded pipeline. Terraform and OpenAPI are ingested as ground truth, merged into a normalized DFD model, rendered as diff-able Mermaid, and STRIDE is run per element with an LLM-enrichment layer that turns boilerplate threats into system-specific, actionable findings. The DFD cannot drift from the implementation because the implementation is the input.
Key Claims
Load-Bearing Claims

The DFD is derived from ground truth, not memory. Parsed from the Terraform and OpenAPI the team maintains, the model regenerates on every change and cannot drift from the implementation. This is the inversion that replaces the quarterly whiteboard session that decays immediately.

Mermaid is the canonical DFD format because it is text. It diffs in git, reviews in PRs, and regenerates cleanly. The manual layer (draw.io) feeds in; the output is a source-controlled, versioned component of the architecture record — not a picture.

The LLM-enrichment layer is where the value compounds. A rule lookup produces generic STRIDE threats engineers dismiss as boilerplate. The LLM attaches system-specific context (resource names, data classifications, trust boundaries) — 'consider Spoofing' becomes 'the payment webhook has no mTLS, spoofing enables fraudulent refunds.' Specificity is what makes threats actionable.

The outputs are sensitive architecture maps. The DFD is a resource/trust-boundary map and the threat list is a prioritized attack playbook. Both are exactly what an attacker wants. Govern them like pentest reports; the read-only ingestion is the safe part.

After This Module
01
Build the ingestion pipeline: Terraform/IaC + OpenAPI + draw.io → normalized model → DFD generation → STRIDE analysis.
02
Explain why threat modeling is a design-time activity and why continuous ingestion beats the quarterly ritual.
03
Distinguish the three input modalities and what each contributes to the model.
04
Map STRIDE automation to DFD element types and explain where the LLM adds value over a rule lookup.
05
Score the stack on the 12-module rubric (47/60) and identify the build-on list (CI wiring, DFD diffing, threat aging).
Artifacts