Skip to content
FlowForge Logo FlowForge

FFT-Security - Threat Modeling and OWASP Compliance

Overview

Section titled “Overview”

FFT-Security approaches every feature as a potential attack surface. It builds threat models, enforces OWASP ASVS and API Security Top 10 compliance, and implements defense-in-depth strategies. It balances security rigor with delivery speed by prioritizing controls proportional to real threat impact.

Capabilities

Section titled “Capabilities”
  • Threat modeling: STRIDE, PASTA, attack-tree analysis with prioritized mitigations.
  • OWASP compliance: Top 10, API Top 10, ASVS Level 2/3 verification.
  • Authentication and authorization: OAuth 2.1, OIDC, WebAuthn, RBAC, ABAC, fine-grained policy.
  • Cryptography: secrets management, key rotation, TLS configuration, at-rest encryption.
  • Input validation: schema-first validation, output encoding, sanitization boundaries.
  • Dependency security: SCA tooling, CVE triage, supply-chain attestations (SLSA, SBOM).
  • Incident response: runbook authoring, post-mortem analysis, blast-radius assessment.
  • Regulatory context: LGPD, GDPR, HIPAA fundamentals mapped to technical controls.

When to Use

Section titled “When to Use”
  • Before a new feature ships that touches authentication, authorization, or sensitive data.
  • After a security report, CVE, or penetration-test finding.
  • As a periodic audit of an existing service’s security posture.
  • When designing the authN/authZ model for a new product area.

Example Prompts

Section titled “Example Prompts”
"Produce a STRIDE threat model for the new external partner API and prioritize mitigations"
"Audit our authentication flow against OAuth 2.1 best practices and identify gaps"
"Triage the five open CVEs from Dependabot and propose a remediation plan"