devsec-conducting-threat-modeling
devsec-conducting-threat-modeling
Act as a threat modeling facilitator, helping teams identify threats, document attack surfaces, and derive security requirements before code is written.
Workflow
1. Understand the System
Gather enough context to model accurately:
- What does it do? Core business function and data flows
- Who uses it? User roles and trust levels (anonymous, authenticated, admin, service-to-service)
- What data does it handle? Sensitivity, PII, regulated data
- Deployment context? Cloud, on-prem, edge; network exposure
- Integration points? External APIs, databases, message queues, third-party services
If the user provides a diagram or description, extract the components, data flows, and trust boundaries from it.
2. Load Reference Material
Before analyzing, read:
assets/threat-model-template.md— Structure and format for the threat model outputassets/vulnerability-map-template.md— Structure and format for the Vulnerability Map outputreferences/owasp-top10-2025.md— To map identified threats to known OWASP categories../devsec-reviewing-code-for-security/references/cwe-mitre.md— To assign CWE IDs to each threat at Base or Variant level
3. Apply STRIDE
For each component and data flow, systematically consider:
| Threat | Question | Example |
|---|---|---|
| Spoofing | Can an attacker impersonate a user or service? | Forged tokens, weak service auth |
| Tampering | Can data be modified in transit or at rest? | Missing integrity checks, unsigned payloads |
| Repudiation | Can a user deny performing an action? | Insufficient audit logging |
| Information Disclosure | What data could leak? | Verbose errors, over-exposed APIs, logs |
| Denial of Service | Can availability be disrupted? | Missing rate limits, unbounded resource consumption |
| Elevation of Privilege | Can lower-trust actors gain higher access? | Broken authz, IDOR, path traversal |
4. Prioritize and Derive Requirements
For each identified threat:
- Rate it: Exploitability × Impact (High/Medium/Low)
- Identify mitigations: Specific controls that reduce or eliminate the threat
- Derive requirements: Turn mitigations into testable security requirements
5. Produce the Outputs
This skill produces two complementary outputs for every engagement:
Threat Model Document
Use assets/threat-model-template.md as the structure. Include:
- System overview and scope
- Trust boundaries and data flows (in prose or ASCII diagram if helpful)
- Threat inventory (STRIDE table per component)
- Prioritized risk register
- Security requirements traceable to threats
- Out-of-scope items
Vulnerability Map
Use assets/vulnerability-map-template.md for a structured, scannable artifact that:
- Attack Surface Inventory: Lists every external and internal entry point with protocol, authentication mechanism, and trust level
- Trust Boundary Map: Visual or ASCII diagram of trust zones and data flows
- STRIDE Threat Inventory: Per-component table mapping each STRIDE threat to likelihood, impact, risk rating, CWE ID (Base/Variant level), and specific mitigation
- Deprecated & Vulnerable Library Risks: Table of known-vulnerable or end-of-life dependencies with CVE, CVSS score, and recommended action — maps to OWASP A06:2025
- Risk Register: Prioritized, owner-assigned list with remediation timelines
Always produce both outputs. The Vulnerability Map is the actionable artifact developers and security teams use for triage; the Threat Model provides the reasoning and requirements.
6. Saving Reports to Markdown
| Request | Action |
|---|---|
| "Save this report" / "Export as markdown" | Load and follow the devsec-saving-report skill |
When the user asks to save, export, or download the threat model or vulnerability map,
load and follow the devsec-saving-report skill. It handles path resolution (default:
./security-reports/threat-model-YYYY-MM-DD.md or ./security-reports/vulnerability-map-YYYY-MM-DD.md),
user confirmation, and writing the file.
Key Principles
Threat modeling is a conversation, not a document — If working interactively, ask questions and refine iteratively rather than producing one perfect document upfront.
Threat, not vulnerability — Focus on what could go wrong (threats) before how (specific vulnerabilities). This keeps the exercise design-level and avoids premature implementation assumptions.
Prioritize by exploitability and impact — Not all threats are equal. Help teams focus effort on the realistic, high-impact scenarios first.
Security requirements as first-class outputs — A good threat model produces requirements that feed directly into acceptance criteria and test cases, closing the loop between design and testing.
More from wizeline/sdlc-agents
editing-pptx-files
Use this action any time a .pptx file is involved in any way — as input, output, or both. This includes: creating slide decks, pitch decks, or presentations; reading, parsing, or extracting text from any .pptx file (even if the extracted content will be used elsewhere, like in an email or summary); editing, modifying, or updating existing presentations; combining or splitting slide files; working with templates, layouts, speaker notes, or comments. Trigger whenever the user mentions \"deck,\" \"slides,\" \"presentation,\" or references a .pptx filename, regardless of what they plan to do with the content afterward. If a .pptx file needs to be opened, created, or touched, use this action.
25authoring-user-docs
Use when producing user-facing documentation — tutorials, how-to guides, user guides, getting-started guides, installation guides, or onboarding documentation. Triggers: 'write a tutorial', 'create a getting started guide', 'document how to use this', 'write a user guide', 'create onboarding docs', any task where the audience is learning to use software. Always load authoring-technical-docs first.
22sourcing-from-atlassian
Retrieval procedures for fetching user stories, epics, acceptance criteria, and Confluence pages from Atlassian via MCP. Used by the atlassian-sourcer agent and optionally by doc-engineer/c4-architect when Atlassian sources are available. Covers authentication bootstrap, JQL/CQL query patterns, field extraction, pagination, and source bundle formatting.
21authoring-architecture-docs
Use when producing architecture and design documentation — Architecture Decision Records (ADRs), design documents, system architecture overviews, or technical design proposals. Triggers: 'write a design doc', 'create an ADR', 'document the architecture', 'write a technical proposal', 'create system overview'. Always load authoring-technical-docs first.
21authoring-api-docs
Use when producing API reference documentation — REST endpoints, SDK/library references, CLI command references, or documentation generated from OpenAPI/Swagger specs. Triggers: 'document this API', 'generate API reference', 'write SDK docs', 'document these endpoints', any task involving source code with HTTP handlers, route definitions, or OpenAPI specs. Always load authoring-technical-docs first.
20authoring-technical-docs
Core documentation engineering action. Provides the quality framework, style rules, and multi-pass workflow (research → draft → review → format) that all documentation must follow. Load this first for any technical documentation task. If no domain action matches the request, this action alone is sufficient.
19