Developer establishes and maintains a living threat model

A digital services project by Flexion

About Flexion

We build digital services for federal, state, and local government agencies. Learn more.

Open source

This project is developed in the open. View the source code on GitHub.

Forms Lab

Home
Forms
Catalog
Sign in

Color theme

In this section

← Back to Catalog
All Stories
#2 Maya signs in to access form authoring
#3 Maya uploads a PDF and reviews the extracted specs
#4 Maya shapes the form experience
#5 Maya reviews her proposed changes before publishing
#6 Carlos fills out a published form
#7 Maya receives a completed PDF
#8 Maya refines the data model with LLM assistance
#9 Carlos completes complex sections through conversation
#14 Developer establishes and maintains a living threat model
#48 Evaluator experiences a guided walkthrough of the project
#52 LLM responds to review comments to evolve forms
#59 Maya chooses her shaping model
#60 Carlos's conversation uses a chosen model
#61 Maya verifies AcroForm mapping
#62 Maya's extractions cite the law
#63 Maya's extractions learn from curated examples
#64 Maya's extractions use a tuned prompt
#65 Maya's extractions use our fine-tuned model
#66 Maya extracts via structured tool-use
#71 Developer navigates LLM integrations via a screaming service layer
#73 Maya's extractions use a tuned prompt (prompt optimization)
#74 Maya's extractions cite the law (RAG)
#75 Run live shaping model evaluation
#87 Maya authors a SNAP form guided by policy corpus and auto-evaluation

Catalog
Stories
Developer establishes and maintains a living threat model

closedFinal ProjectGitHub #14

User Story:

As a developer, in order to understand the application’s security posture and maintain it as features are added, I want a living threat model that documents trust boundaries and data flows, with tooling and process to keep it current

Preconditions:

Skeleton complete (Slice 0)
Deployment infrastructure design documented

Acceptance Criteria:

Threat model document exists in catalog/architecture/ covering current trust boundaries and data flows
Each trust boundary documents what data crosses it, what could go wrong, current mitigations, and residual risk
Risk summary table provides a scannable overview of identified threats with likelihood, impact, and mitigation status
ADR documents the decision to maintain a living threat model and the chosen methodology
Definition of done for all stories is updated to align with Flexion’s standard template, including the threat model review checkpoint
Threat model is browsable through the catalog alongside existing architecture docs
Claude skill exists that reviews the current threat model against branch changes and identifies whether updates are needed

Success Metrics:

Developers can identify the security implications of a proposed change within minutes by consulting the threat model
Threat model updates are a routine part of story completion, not a separate effort
New trust boundaries or data flows introduced by stories are captured in the threat model before the story is marked done

Notes:

Methodology:

Trust boundary / data flow analysis — map boundaries, identify threats at each crossing
Complements with a risk summary table for non-data-flow threats (supply chain, DoS, infrastructure access)
Aligns with Flexion’s security-compliance practices: data flow tracing, logging hygiene, secrets management

Scope:

This story establishes the threat model and the process to maintain it
It does NOT implement specific mitigations — those belong to the stories that address them
Future work could add: automated staleness detection, monitoring/alerting integration, incident response runbooks

Trust boundaries to cover (current architecture):

Browser <-> Caddy (TLS, request routing)
Caddy <-> Hono application (reverse proxy)
Hono <-> Git filesystem (spec/submission persistence)
Hono <-> Claude API (LLM integration)
GitHub <-> Webhook listener <-> Deploy pipeline
Browser <-> Hono auth flow (future, Story 2)

Definition of Done alignment:

Current stories use a minimal DoD; Flexion’s standard template includes items like threat model review, user documentation, deployment changes, and feature toggles
This story updates all existing stories to use the aligned DoD template
Not all items may apply to every story (e.g., feature toggles may not be relevant to this project), so adapt the template to project context

Definition of Done:

Acceptance criteria met
Threat model updated – any new trust boundaries, data flows, or attack surfaces are reflected in catalog/architecture/threat-model.md
Technical documentation updated – architecture docs and decisions are current
Threat model document reviewed for completeness against current architecture
Claude skill tested against a sample branch diff
All existing story definitions of done updated
Tests pass
Type checking passes
CI pipeline green
Deployed and demoable

Home
Catalog
Design System

Forms Lab — LLM-Assisted Forms Platform