How DevSecOps thinks about threats — STRIDE categories, attack surface mapping, trust boundaries, and producing actionable security requirements (not "be secure")
A security contribution that says "ensure proper authentication" is useless. The engineer already knows that. Threat modeling produces SPECIFIC, ACTIONABLE requirements:
That's a security requirement. "Be secure" is not.
For each component or feature being reviewed:
For the feature or component under review:
For each entry point, walk through STRIDE. Not everything applies to everything — focus on what's realistic:
| Component Type | Focus On |
|---|---|
| API endpoint | Spoofing, Tampering, Info Disclosure |
| State machine | Tampering, Elevation |
| File operations | Tampering, Info Disclosure |
| Inter-agent communication | Spoofing, Repudiation |
| Configuration | Tampering, Elevation |
For each threat identified:
| Severity | Criteria |
|---|---|
| Critical | Remote exploitation, data breach, privilege escalation |
| High | Auth bypass, significant data exposure |
| Medium | Limited info disclosure, DoS potential |
| Low | Minor issues, defense in depth |
When contributing to a task via fleet_contribute:
## Security Requirements for: {task_title}
### Threat Summary
{1-2 sentences: what's the risk profile}
### Requirements
1. [CRITICAL] {specific control}
- Threat: {STRIDE category}: {specific threat}
- Where: {file/endpoint/component}
- Verify: {how to test}
2. [HIGH] {specific control}
...
### Trust Boundaries
- {boundary}: {what crosses it, how to protect}
### Out of Scope
- {what was assessed and found acceptable, so the engineer doesn't waste time}