"Why does manual threat modeling fail in most organizations?" "Manual: diagram in a quarterly meeting, spreadsheet of threats. Diagram goes stale the day someone merges a Terraform change. Nobody re-runs the model. Root cause: model is hand-maintained, separate from architecture. Fix: generate from IaC/OpenAPI, regenerate on every change." c2a::s07::analysis "What are the input sources for architecture ingestion, and which are authoritative?" "draw.io/Mermaid (supplementary — documentation drifts), Terraform/CloudFormation (AUTHORITATIVE — machine-verifiable declaration of what is deployed), OpenAPI/Swagger (authoritative — API endpoints/schemas), source structure. IaC + OpenAPI is the strongest path." c2a::s07::recall "What is the DFD, and why is it the canonical intermediate representation?" "Data Flow Diagram: elements, flows, trust_boundaries. Every input source normalizes to it. Every downstream stage (STRIDE, mitigation, versioning) operates on the DFD, not raw input. Decouples ingestion from analysis — new input only needs a new parser." c2a::s07::recall "What is a trust boundary, and why does it matter for threat modeling?" "Line where trust level changes: public internet↔VPC, low-trust tenant↔admin, third-party↔internal. Where the DANGEROUS threats live — where an adversary crosses from low-trust to high-trust. Flows crossing boundaries are highest-priority STRIDE analysis targets." c2a::s07::analysis "How does the harness detect trust boundaries from infrastructure?" "Internet-facing resources (public IP, internet gateway, public LB listener) → internet↔VPC boundary. IAM cross-account roles → account boundaries. Tenant isolation constructs (per-tenant schema, tenant-scoped policy) → tenant boundaries. Each flow marked crosses_boundary if source/target in different boundaries." c2a::s07::application "What does STRIDE stand for?" "S(poofing) T(ampering) R(epudiation) I(nformation disclosure) D(enial of service) E(levation of privilege). Mnemonic for 6 threat categories. Strength: each maps to specific DFD element types → systematic method, not open-ended brainstorm." c2a::s07::recall "Which STRIDE categories apply to each DFD element type?" "External actor: Spoofing, Repudiation. Process/service: ALL SIX (richest surface). Data store: Tampering, Repudiation, Info Disclosure, DoS (not Spoofing — you don't impersonate a DB). Data flow: Tampering, Info Disclosure, DoS. Scoping prevents irrelevant threats." c2a::s07::recall "What is grounded threat generation, and why is it load-bearing?" "LLM generates threats SPECIFIC to element's technologies + flows crossing its boundary + data involved. Without grounding: 'attacker might spoof auth' (useless, applies anywhere). With grounding: 'stolen Cognito creds bypass API Gateway rate limit + WAF' (specific, CVSS-scored, actionable)." c2a::s07::analysis "How does the STRIDE engine dedup and prioritize threats?" "Dedup via SEMANTIC SIMILARITY: each threat embedded, threats above threshold merged (retain highest-severity phrasing). Prioritize by draft CVSS score from model's base vector. Output is RANKED — top threats first, not a flat dump. 20 elements × ~3 categories × ~3 threats → ~180 candidates → dedup → ranked." c2a::s07::application "Why is traceability (every threat carries element_id + category) not decorative?" "Developer asks 'why flag this?' → harness points to specific DFD element + flow. Architecture changes, element removed → threats auto-retired (not orphaned). Makes model maintainable across versions. Enables delta-only re-analysis on architecture change." c2a::s07::analysis "What are the 4 mitigation status values and their meanings?" "Open (identified, not implemented). In progress (PR open, IaC change in review). Mitigated (deployed, verified resolved). Accepted risk (business decision, documented with approver + expiry). Status links threat model to engineering workflow." c2a::s07::recall "What 3 layers does a mitigation map to?" "(1) OWASP ASVS control (e.g. V2.1.7 MFA). (2) CWE remediation (e.g. CWE-308 single-factor auth). (3) Cloud provider best practice (e.g. AWS IAM condition keys require MFA for sts:AssumeRole). Mapping = difference between platitude and implementable mitigation." c2a::s07::recall "Why must threats be filed in the engineering tracker (GitHub/Linear/Jira), not a security silo?" "Engineers don't open separate security tools. Auto-create issues where they work, with attack narrative, CVSS, mitigation, OWASP/CWE/cloud refs, traceability to threat model. Bidirectional status sync (issue closes → threat mitigated). Goal: zero manual transcription between analysis and backlog." c2a::s07::application "How does model version diffing make continuous threat modeling tractable?" "Diff two model versions → re-run STRIDE ONLY ON DELTA: new elements (run STRIDE), removed elements (retire threats), new flows esp. crossing boundary (HIGHEST priority), changed boundaries (re-analyze affected), unchanged (skip). Cost scales with change, not architecture size." c2a::s07::analysis "What makes a threat model go stale, and how does the harness prevent it?" "Stale: architecture changes (Terraform merge, new endpoint) but model not re-run. Harness prevents: regenerates model from IaC/OpenAPI on every change, diffs versions, re-analyzes only the delta. Model is an OUTPUT of the pipeline, not a hand-maintained artifact." c2a::s07::analysis "Compare a platitude mitigation vs a mapped mitigation." "Platitude: 'Use strong authentication' (prompts no action, ignored). Mapped: 'Enable AWS IAM condition keys requiring MFA for sts:AssumeRole in Lambda execution policy, per OWASP ASVS V2.1.7, CWE-308.' Engineer can implement in a PR — concrete config/IaC/code change, not a slogan." c2a::s07::application "Why does the engine NOT analyze data stores for spoofing?" "You don't impersonate a database. STRIDE is SCOPED per element type: external actors get spoofing + repudiation; processes get all six; data stores get tampering/repudiation/info-disclosure/DoS; flows get tampering/info-disclosure/DoS. Scoping prevents irrelevant threats and keeps the list credible." c2a::s07::analysis "What is the highest-priority delta when diffing two threat model versions?" "NEW FLOWS that cross a trust boundary (esp. new public-to-internal paths). These are where new exposures live — an adversary's new path from low-trust to high-trust. Also high: changed trust boundaries (resource moved private→public, new cross-account role)." c2a::s07::analysis "How does the parser extract components from Terraform?" "Every resource is a component: aws_s3_bucket → data store, aws_lambda_function → process, aws_api_gateway_rest_api → service with external entry points. From OpenAPI: every endpoint group → service; request schemas → data structures. References between resources → data flows." c2a::s07::application "Why treat IaC as authoritative and draw.io as supplementary?" "IaC (Terraform/CloudFormation) is a machine-verifiable declaration of what is ACTUALLY deployed. draw.io is documentation — it drifts from reality the moment someone merges a change. IaC + OpenAPI as authoritative inputs; diagrams add human-readable context but cannot be the source of truth." c2a::s07::analysis