Lightweight Threat Modeling

Foundation

Phase: plan

Quick Reference

Phase

plan

Epic

Backlog Quality & Planning Enablement

Milestone

Foundation

Target

>= 60% sensitive features have threat model

Implementation Time

Part of Backlog Quality & Planning Enablement epic: 3 weeks (24 hours per capability avg)

What & Why

Definition

STRIDE checklist applied to >= 60% of features touching sensitive data or external integrations.

Business Value

Reduces sprint scope creep by 40% and improves story completion rate from 60% to 85% through clear acceptance criteria and retrospective-driven improvements Achieving >= 60% sensitive features have threat model is a key milestone toward this goal.

Context

This capability is part of the Foundation milestone's focus on establish baseline practices (testable, releasable, monitorable). Essential for teams targeting LT, DF improvements.

Success Criteria

Target

>= 60% sensitive features have threat model

Measurement

Security review tracking system query

Evidence

STRIDE checklist template
Completed threat models
Mitigation backlog items

In Practice

Real-World Implementation

Teams complete 15-min STRIDE worksheet for features handling PII, payments, or external APIs before coding starts.

Concrete Example

Feature 'Export customer data' threat model identifies STRIDE risks: S-data tampering (mitigation: signed exports), R-repudiation (mitigation: audit logs).

Implementation Guide

Implementation Steps

Follow the measurement approach: Security review tracking system query

For detailed step-by-step guidance, refer to the Backlog Quality & Planning Enablement Implementation Kit.

Resources

Related Capabilities

Enables

What this unlocks

Automated Threat Modeling

Complementary

Often adopted together, from the Backlog Quality & Planning Enablement epic

Definition of Done Standard

Non-Functional Requirements in Backlog

Retrospective Action Item Tracking

Basic Capacity Planning

Troubleshooting & FAQs

Common Issues

Issue: Target metric not improving

Solution: Verify measurement is accurate, check if prerequisites are fully implemented, review evidence artifacts for completeness

Issue: Team resistance to adoption

Solution: Start with pilot team, demonstrate value with metrics, provide training and support during transition

Issue: Inconsistent implementation across teams

Solution: Create shared templates and guidelines, establish regular sync meetings, use automation to enforce standards

Frequently Asked Questions

Can we implement this before completing prerequisites?

While possible, it's not recommended. Prerequisites ensure foundational practices are in place, making this capability more effective and easier to adopt.

How long does implementation typically take?

Most capabilities can be implemented within 90 days when tackled as part of the Foundation milestone. Individual timelines vary based on team size and existing practices.

What & Why

Definition

STRIDE checklist applied to >= 60% of features touching sensitive data or external integrations.

Business Value

Context

This capability is part of the Foundation milestone's focus on establish baseline practices (testable, releasable, monitorable). Essential for teams targeting LT, DF improvements.

In Practice

Real-World Implementation

Teams complete 15-min STRIDE worksheet for features handling PII, payments, or external APIs before coding starts.

Concrete Example

Feature 'Export customer data' threat model identifies STRIDE risks: S-data tampering (mitigation: signed exports), R-repudiation (mitigation: audit logs).

Troubleshooting & FAQs

Common Issues

Issue: Target metric not improving

Solution: Verify measurement is accurate, check if prerequisites are fully implemented, review evidence artifacts for completeness

Issue: Team resistance to adoption

Solution: Start with pilot team, demonstrate value with metrics, provide training and support during transition

Issue: Inconsistent implementation across teams

Solution: Create shared templates and guidelines, establish regular sync meetings, use automation to enforce standards

Frequently Asked Questions

Can we implement this before completing prerequisites?

While possible, it's not recommended. Prerequisites ensure foundational practices are in place, making this capability more effective and easier to adopt.

How long does implementation typically take?

Most capabilities can be implemented within 90 days when tackled as part of the Foundation milestone. Individual timelines vary based on team size and existing practices.

Lightweight Threat Modeling

Quick Reference

What & Why

Definition

Business Value

Context

Success Criteria

Measurement

Evidence

In Practice

Real-World Implementation

Concrete Example

Implementation Guide

Implementation Steps

Resources

Implementation Kit

Templates

Related Resources

Related Capabilities

Enables

Complementary

Troubleshooting & FAQs

Common Issues

Issue: Target metric not improving

Issue: Team resistance to adoption

Issue: Inconsistent implementation across teams

Frequently Asked Questions

Can we implement this before completing prerequisites?

How long does implementation typically take?

Lightweight Threat Modeling

Quick Reference

What & Why

Definition

Business Value

Context

Success Criteria

Measurement

Evidence

In Practice

Real-World Implementation

Concrete Example

Implementation Guide

Implementation Steps

Resources

Implementation Kit

Templates

Related Resources

Related Capabilities

Enables

Complementary

Troubleshooting & FAQs

Common Issues

Issue: Target metric not improving

Issue: Team resistance to adoption

Issue: Inconsistent implementation across teams

Frequently Asked Questions

Can we implement this before completing prerequisites?

How long does implementation typically take?