Threat Modelling as Code: Building Security into Your Git Workflow

Um, so this one plugs into about Stick it on just for the live stream. Yeah. >> Uh, and we're using that one for the broadcast in the room. >> For the room, can I use a wireless? >> Probably. As long as the audio works. Okay. >> Just cuz I'm going to be typing quite a bit. >> Can we talk to the radio mic? >> Yeah, this should just work.

They won't feed back, will they, from each other? Should be fine. Let me just clip this one on this side.

>> Awesome. Do I need to test? Oh, you can I can hear me. >> Yeah. >> Awesome. >> And I was already getting audio from that. >> Good luck. I hope that the >> Oh, man. This live demo is going to be very very yolo. >> Very It's not going to be deterministic.

>> Magic. >> Cool. >> Yeah. Do you need to do? >> Cool. >> All right. Uh, grab your seats. We'll finish up with the last talk of today. So, I will hand over to Christian talking about threat modeling as code. >> Thanks, mate. >> Awesome. Thank you. [Applause] >> Hello everyone. Um, thank you for hanging out. I know it's the very last session of the day and I'm the last uh I guess speech before drinks are hopefully happening down at Steve's I believe unofficially. Um this afternoon I get to talk to you about a topic that I'm super super p passionate about. Plus I'm going to really really try um and demo some stuff but I'm demoing it using uh our favorite

buzzword LLMs. So, it's going to be very very uh I've done this demo like 10 times and 30% hit rate it's gone way off the rails. So, I guess we'll see how this goes. Um I also have to apologize that after working on these slides for so many days in my mind it started to sound like I was just saying threat yodelling which I think actually works because a lot of the time when people are performing threat modeling it honestly feels like we're just shouting off the top of a mountain. Anyway, today's presentation I'm going to talk a little bit about threat modeling. Um, and I need I need my spectacles now cuz I'm getting old. Um, a little bit about

threat modeling. Uh, I'm going to talk and demo quite a bit on this open source project that I've been working on for the last few years, particularly how to leverage CI/CD to automate workflows and business logic checks for your threat assessments and threat models. and then have a look at how um artificial intelligence may help or your favorite non-deterministic postmodern mark of chain ebook machine generation system. Um it it's it's pretty random but also kind of fun. Um I did actually ask an AI to figure out a backy for what I was trying to say when I was talking about AI and it came up with this which I thought was quite funny. Um, and like don't get me wrong, like I

think there's a lot of really cool use cases. Obviously, the greenhouse gas emissions side of things is not not fantastic. Um, just as a reminder, make sure that you validate the output from your AI uh slaves. Um, my name is Christian Faw. I've been doing security for a long time. Um last 10 years I've been focusing and and been really fortunate to work in kind of like big big tech companies uh both in San Francisco and also remote from here in Perth. Um now I would say my time working for Hashi Corp and my time at Atlassian. I currently work at Atlassian certainly started to have a pretty profound impact on my I guess my

approach and my philosophy to threat modeling particularly when you want to collaborate with software engineers. So hands up if you work as a software engineer. A couple of hands. Hands up if you work with software engineers. Right. A lot of hands. Okay. Awesome. Um I definitely am a wannabe software engineer. I don't get to get my hands on the keyboards as much as I possibly can. Um I guess my next question I'm going to ask is like who here um performs like threat modeling? Okay, cool. Good. What about um people that you think you might be doing threat modeling in the future or it's a capability that you want to try and expand and grow and develop in your

place of work. Okay, awesome. Um so personally I do come from this school of thought. Practical threat assessment can be a really really valuable and effective way to help address and manage uh technical risk to help deliver more secure products that your customers can trust. Um now when we think about how threat modeling and threat assessment typically gets um executed at enterprise organizations it might follow something that looks a little bit like this. You've got some product manager and they go we need to build a widget. They'll start planning the widget. They'll get a project manager. They might spin up a whole bunch of project logistics. Maybe there's some integration points with the security team. Like maybe the

security team goes, "Oh, you've got a new project. You have to come and talk to us." And then the security folks kind of get hooked in. And then they start gathering information and they start writing a bunch of documents and people create diagrams and data flow diagrams and there's lots more documentation. And then they go, "Okay, cool. We need to now do a whole bunch of threat modeling workshops." And then there's just like workshops and you're sitting down and you're doing whiteboarding and it's all awesome. And then maybe like the security team has some gating processes like cool this feature has been developed. We've done thread assessment. You've done some pen testing and all these other things and you can um

finally release it. Now what's the what's the problem with this? Well, one of them is that it's really boring. Like this is just like it's doesn't sound very fun to me. And you know what software engineers would actually rather be doing? Programming. Um and and like when we think about what we get from this exercise, you really have to question the value of the time invested. Now, if you're doing this well, you should be driving positive change. So, the project comes in as an input into your black box of threat assessments and then the output is the project team agree that there's things that they need to change. They go, you know what, that is a problem. We're

going to have to tighten authentication or whatever. Um, and you know, I guess typically the other kind of aspect that's really important is documentation because quite often systems are never built once. They're probably expanded. People might change. There might be extensions on systems and you have to kind of like, you know, we built this big widget, but now we want to add AI to the widget. So now you've got security coming in to come and do like a threat assessment of those changes. So really good documentation can also really help for future threat yodellers. But a lot of the time it's kind of like it's done like this is the process is done we move

on to the next one. So like what's the problem here? I think if we take the lessons that we have seen maybe over the last 20 years in the kind of DevOps and agility space, we've seen this like massive industry push for like we deploy code to production a million times a day and we're moving moving really really fast and a lot of threat modeling and threat assessment typically is still based on I guess like manual assessments potentially documenting things in um confluence pages or in word documents. ments. Obviously, some companies use like threat modeling, threat assessment tools to help this along, but we're kind of like missing a lot of these optimizations. And um one

of the things that I really enjoyed about working at Hashi Corp is that Hashi Corp was all about the source of truth in their organization and their source of truth was code. everything was as code and they basically were like um I guess culturally moving to this point where everything should be like documented in code policies standards security vulnerabilities um threat assessments obviously the products that they sell strategies and if it's not committed into a repository then effectively it's kind of deemed as sort of nebulous so let's bring like DevOps productivity into security. I'm sure someone else said this, but I also have also said this. Um, let's kind of think about infrastructure as code and the approach

that infrastructure as code is kind of head on the industry and let's bring it to threat modeling. And that's where threat came in. I did the first iteration of this while I was working at Hashi Corp. Obviously, everything at Hashi Corp is as code and I was like, our threat models should be as code. Hands up if you have used Terraform. Yeah. Okay, cool. So, Terraform is a popular infrastructure as code product from Hashi Cororp. Um, I really liked the syntax of Terraform HCL files. If you've ever worked with uh HCL or Hashi Corp configuration language, threat is built around HCL. You can document your threat models in JSON as well. And the utility the utilities will process them

as well, but HCL unlocks a bunch of really interesting kind of capabilities just because of the nature of how the specification is built. So, it's Git friendly and it's great for CI/CD. Um, and I'm just going to jump into a terminal. But before that, I actually saw a meme the other day and I actually thought for those that work in Terraform, I thought this was quite funny. [Music] Um, because I have definitely been there. Like I feel like I've done Terraform Apply and then everything broke. I feel like this was me except I would never be able to lift whatever that skeleton is lifting. Uh, not on a good day. Anyway, so I am going to jump

into a terminal. And for those for those that are comfortable with working uh I guess in HCL, ThreatCL gives you the ability to drop into uh your editor. And we're just going to threat model a recruiting app. So this is just a really simple example of what the specification looks like. This is not exhaustive but you know we can start working on this. Let's say we're building a recruiting app and it's an app for recruiting whatever people um you know maybe we've got use cases like recruiters can list jobs. What's another use case? Someone give me one. What would be another use case in a recruiting app? >> Short listing jobs. I mean that's okay.

You you guys are missing the point, but that's okay. How about candidates apply for jobs? That seems quite important. Now threats is obviously where the power of threat modeling comes in. So you document all the potential bad things that could go wrong and you kind of you can put impacts there and you can figure out controls. So maybe something like an attacker DDoSes the app and that would impact integrity. Uh sorry, >> thank you availability. See this is why this is this is I'm doing pair programming on like absolute hard mode. Um and threat cl basically gives you a bunch of utilities. So you can now validate this, right? Okay, cool. So according to the specification this this

threat model and this is a very light example has been validated. Uh the CLI tooling allows you to view it which is also not necessarily super exciting but it kind of gives you this markdown representation of this. Um now for those that don't even want to look at HCL uh the specification you can also generate this interactively. And at this point you get like a friendly Q&A. So it's like we'll do this again. Recruiting app. I'll skip all these optionals. Christian, it's a new initiative. It does face the internet. Let's say that the size is medium. We've got information assets. Job listings. This is all the jobs. It's public. We'll add another information asset. Job applications.

applicants apply and that's probably confidential um use cases you know recruiters list jobs I won't add anymore I won't add an exclusion attackers flood and doss the system and that's availability and then I'll go no and then again it basically kind of spits out uh like a threat model like a fully populated HCL representation of a threat assessment. And this is just a simple example. Obviously, you can add multiple threats. You can add a lot of controls and other bits and pieces. Now, so far, the things that I've shown you as far as output goes um are not super exciting. So, like Markdown output is maybe useful if you're publishing these things into GitHub. GitHub is kind of cool because

it can natively render Markdown. So you get like a pretty version of that. But what you actually want to start doing is like building dashboards and doing all sorts of other things. And the tool allows you to do that as well. Uh including generating um DFDs. So you can do things like export markdown. So this will give you a raw markdown version of the same thread assessment. And then for more advanced functionality, you can start using the dashboard command. Now the dashboard command obviously has a lot more options because it allows you to set kind of the extension types whether or not you want a dashboard file. You can provide custom templates. So obviously you know

Atlassian has a particular format for thread assessments. um a different company will have a different format, but this will um generate uh like a real simple HTML example of a dashboard. And obviously, if you threw in multiple HTML files, it'll actually generate them for all of the thread assessments. So, this is just showing for one. And then this is just like a real simple like I mean I I am obviously not a front-end developer, so this is a completely uh uh vanilla HTML but I the fact that I created HTML is quite good I would say um actually as a full disclaimer most of this was written before vibe coding was a thing if you go back through the

commit history anything over the last 6 months that is absolutely not true anymore so um I've kind of demonstrated like some of the real simple things you can define a threat model in this in this file and you can kind of interact with it and dynamically process it. Now, as soon as you start doing this, you can kind of shift your paradigm for how you manage threat models. All of a sudden, now you can start managing them like code. So that means maybe you have software repositories for your widget product. You can put a threat model in there and you can put some workflows to automatically process, validate, and publish that. So the widget changes, you

update your threat model, the CI/CD picks it up, it republishes your threat assessment. Um potentially you can centralize all your threat models into a single repo which is also potentially useful. You've got a single repo where you've got all your threat models. You can obviously commit to them and you get all the benefits of git. So you get the version history and you can kind of get blame and find who you know messed up on something in the past. Um plus you can automatically generate and publish documentation. Uh GitHub actions. Hands up if you've used GitHub actions before. Okay cool. So GitHub actions is GitHub CI/CD solution. And this is just a really simple example of creating a dashboard

and exporting it. Um, threat has native GitHub action magic. So you can just use threat and then this one will validate all your HCL files. It will then build uh a dashboard file and then in this instance it will actually recommit the dashboard and all your changes back into the repository itself which is a little bit kind of quirky but kind of fun. You think about it you've got a repo with all your threat models. someone updates one of your HCL files, this thing will publish updates and then recommit it back on top of itself. And what you get when that successfully runs uh see if I can click over to it is this. So this is an example that was

dynamically generated. And if you click on one of these threat models, this was a threat model that actually had a data flow diagram defined inside of it. And when you publish your dashboard, it renders the PNG of the data flow diagram as well. So you can kind of see there's diagrams and there's some threat model stuff. Uh all right. Okay. So code files for threat models workflows inside of your your CI/CD. But we haven't really touched on like why HCL. And one of the things I really liked about Terraform is its modularization. Like you can include things from other places into your Terraform files. Define really really expansive modules elsewhere and then kind of import them

and then it kind of influences your build and your environments and stuff. Threat CL has exactly the same functionality. So you can define central control libraries and I've got a couple for like the AWS security checklist and a couple of other things and then you can define a threat model for the product that you're building and you don't have to retype anything or recreate anything. You can import that information from a central library which itself you can also then version control. So over time you can obviously adjust to those controls. Maybe the effectiveness of the controls change over time and things like that. Um, baselining is also is is also is also really great. Like the widget that I was

talking about before, maybe you've got a threat model for the widget and the company wants to build a new product on top. You can now build a threat model for that. Refer to the threat model from here which sets a new baseline threat model and then just kind of add the bits that are different and then publish that as a final result. So this kind of modularization I think is quite um quite powerful and I'm going to try and figure out how to do this uh live. So, I'm going to get rid of just some of these weird placeholder things, and I'm going to refer to an example on the internet. So, up here on this git repo, I've got um an example

of like an authentication control defined in a git repo like on a up on the internet. And what I want to do is I want to first of all import that. So we can add an import into GitHub threat threat to a particular file. The format's a bit funny with the pipe uh library expanded controls. I'm just going to try and validate that to make sure it still works. Cool. So now I've imported this. I want to like pull in that authentication control into this threat. So maybe there's a new threat something like attackers can impersonate a candidate. Um and I want to import a control that authentication control. So you define a new import. It's an expanded control

and it was called authentication control. Uh like that. And if I validate it and then if I view it, you should see it's now added uh a threat which is attackers can whoops attackers can hang on scrolling. This is a little funny. Attackers can impersonate a candidate and then it's dynamically pulled in that centralized control from a separate GitHub repo. Under the hood, this is using another uh Hashi Corp package called Gogetter. So you can actually refer to local files, you can refer to git repos, you can refer to HTTP assets, and it handles all the other kind of magic underneath quite well. Um, and that really starts to unlock this modularization for your programmatic threat models. Now, doing

all this inside of HCL also starts to give you some other really interesting benefits. Hands up here if you've used Seam Grep. Not as many hands. There's more people using Terraform than Segrep. That's interesting for a room full of security people. Um, SGP is a a static analysis tool. Um, they have an open source version like a community edition plus also like a professional thing. Um, for those people that put their hand up that they use SGAP, did you know that SRAP has rules for Terraform files? Have you? Yeah. Okay. So, Smrep uh they built the engine to be able to gro HCL because they wanted to be able to provide uh scanning capabilities for your

infrastructure as code. Now, this is awesome because you can write business logic rules in Sim Grep to validate your threat models. So, for instance, maybe you want to throw a warning if someone has documented a threat and they don't have a control. you don't necessarily want to stop it from publishing potentially, but maybe you just want to throw a warning to them. And using SEM grip rules, we can actually start doing these sorts of business logic checks against processed uh threat cl um files. So to do that, I do have to export the file, which may be a little bit weird because it needs to build the final product. And then I can scan that processed file

and you will notice that it's going to throw an error. So in this instance there was that DOSS threat that we had documented and we had not put a control into there. So we should we should we should address that problem and we can address that problem. So what was it again? Availability. So you can see here there's like no controls for this threat and we want to add an expanded control block. Maybe it's something like CDN uh we use a good CDN um or something like that. So if we validate that still works and then we export it and then we scan it with SRP, we should see that should pass except we've got two different business rules

that we uh documented well we configured inside of SGP. One was the current control is not implemented so I forgot to put implemented to true and the second warning was there's no risk reduction value. So you've kind of documented that there is a control but you haven't documented that it's reducing the risk appropriately. So let's quickly go fix those things. Let's say that we use a better CDN uh and it's implemented equals true and its risk reduction is at least 40%. So we export that and then we scan it and this time it passed nothing. So in this instance that threat model met all the business requirements uh that we had documented inside of SERP and that's quite a

powerful capability like we can kind of define requirements that you want for these threat models and manage them as you do manage code um which is absolutely something that we should be doing. This is all still way too manual, right? Why am I opening up a terminal and fussing around with code? What about all them juicy a AIS that people are talking about? Um, so ThreadCl also has an MCP server. Um, now when I started working on these slides, I was using cursor. Do people know what cursor is? It's like a AI IDE. Um, and then a week or two ago, Atlassian um, they, uh, launched their new rodeo dev CLI tool, which is I'm not

too sure if anyone here has used Claude code. It's kind of like the terminal version of Claude Code, but this is the Atlassian version. Now, under the hood, it uses exactly the same models. So, it uses anthropic models. You can select the new OpenAI models if you want. And I thought, I'm going to run this demo on absolute chaos hard mode. I'm going to try and use the Atlassian rovo dev AI product to create a threat model from scratch. Uh, and it probably not going to work, but we'll see how we go. Um, in this folder, I have got uh a recruiting app that I have vibe coded. Um, uh, it's not super exciting, but what

I'm going to do is I am going to start. So, ACL is the Atlassian CLI tool for Atlassian customers out there. Rodee is their interactive robo chat thing. Um, I'm going to try try and run this to see if it can create a threat model for me. You can see it's using Claude Sonnet 4 and similar to Claude code, we've got the ability to interact with MCP servers. So you can see down here in this instance, it's got a threat CL local uh MCP server which has access to a whole bunch of different tools like interacting with threat models, validating threat models and things like that. So I'm going to ask it to review the threat HCL

specification, then analyze what this web application is about, draft a preliminary product security threat model using the specification, write this HCL to a file, then validate it. If there are any bugs, directly edit the file and then revalidate it. Um, and then after it's validated, this last bit never works. But after it's validated, I also want you to generate a DFD. So, it said, "Cool. I help you do the thing." It's already quickly already looked at the HCL specs, so it understands what they should look like. It's going to start going through all the content. Oh, I actually had a backup file. So, I wonder if it's going to realize that there is an existing threat

model file, but that'll be fine. Um, it's going to look at all the code. Now, I have a good understanding of the application. Lets me create a comprehensive threat model for this recruitment web app based on my analysis. This is a client side web app that manages things. It's going to try and create this file.

Come on. If I ran out of tokens, that would be very funny. Uh cuz I actually don't know how many tokens I use on this thing. And it's I'm using like I guess I'm using a trial of the Atlassian product. I'm not even using the real thing. Um it's definitely doing Okay, cool. Uh it's successfully created a threat model file. Now, let me validate that this threat model file it successfully validated that it created a threat model file. Excellent. Now let me create the data flow diagram.

Come on. But the data flow diagrams that it creates sometimes are like interesting. So I did say one that it created earlier that I was like that's actually not terrible. But sometimes it is very not good. Um which is I guess good for security professionals. I don't think AI is necessarily going to take all of our jobs just yet. Or maybe this will fail and then it'll go into a loop and then it'll chew up all my tokens. Oh, it actually did run into a model because it had a typo. I see there's a typo. I wrote thread model. Oh my god.

What are you doing? I love this. I think it re I don't think may this could actually be an error on my behalf. I don't think it realizes that this tool just needs the file name. I think it might be trying to give it the raw string, which is why it's going to fail. But I'm still crossing my fingers for this little AI non-deterministic mark chain ebook generation machine.

Oh no, it created something. Okay, cool. Um, perfect. I have successfully created this thing. Oh, now it's listing the contents. Okay, cool. Um, here's a summary of the things I did. Oh, god. I I I analyzed the Yeah. Okay. It didn't I need a different AI to summarize the output of the AI. Um, apparently I only use 37,000 of my session context. Um, and also obviously because it's an Atlassian product, do you want me to create you Jira work tickets? which is really lovely and it can go and do that but maybe not today. So let's see what it actually created. Um so inside of the threat model folder there is two files. If I look at the threat model HCL

it's got security threat model for the UI5 which was an open source thing that I used. Um it created some additional attributes. It's a single page application. Information assets, candidate personal data, recruitment process data, application source code, the HR personal access access the website. There's some exclusions. It documented some of the third party dependencies which is quite funny. It's found that there's cross site potentially there's cross- site scripting threats. Um it's suggesting that we should have input validation and sanitization. Currently it's not implemented. which is good because I definitely have not implemented any of these things. Um, and then if I keep on going down, so it's obviously documented quite a lot of things. Finally, it's also done this data flow

diagram. So the specification allows you to programmatically define a data flow diagram. We're going to open this file up and just see what it looks like. Oh yeah, this is definitely something. I don't know what is happening in this picture but this is an example of those times where you really do want to review the output because I don't know why it looks anything like that. >> That's a good CD. >> I mean, yeah. >> Yeah, I love it. Uh, it's working as intended, right? Like, oh my god, >> we told it to do that. >> It's exact. Yeah, that's true. It is just going to blindly follow my instructions. Um, so anyway, uh, that's

the end of what I was going to demo that it actually got further than it has in some of the dry runs. So, uh, yay. Anyway, I guess the takeaways for me are depending on your scale of organization, how often you do these sorts of assessments um and also if you work in kind of like software um product style companies um these sorts of approaches absolutely are things that you should be investigated. Now, threat is is quite a big hammer for a lot of use cases. Um even just like starting with templated markdown files in your repositories, like that's it's a really good start and it costs you absolutely nothing. Um but as soon as you start automating your

business logic checks inside of CI/CD um and generating kind of computer readable output um I think you start to unlock a lot of really powerful features in particular because I think we're seeing this big phase change where a lot of enterprise knowledge management tools are all about like search indexing and being able to go like hey the company's building this new product and it looks a little bit like this other product. Have we ever done a security assessment of that thing? And this obviously helps along that journey. Um maybe LLMs can help. I don't know if this was necessarily a good sales pitch for that or not. Um and obviously don't forget to verify their outputs. Um thank you very

much. That's all I had.

>> Um questions? Yes. So based on what you've shown us, it looks like the whether or not the control is implemented or valid at any point in time still seems not necessarily linked to what might be changing in the code. >> Exactly. >> Have you seen or played around with >> if if we take an example of you have a risk that data might not get redacted where it's supposed to be and a control, we implemented a reduction functionality. that using like an LLM on commits to look at what's changing in the code, read the threat model and go, "Hey, they forgot to input the reduction thing." >> Brilliant. That's a people should be doing that like

>> Yeah. I mean I mean obviously like blindly committing things from the AI overlords is obviously something that a lot of software companies are dealing with right now. We're definitely seeing a big push for like well can we get to the point where the reviews are automated and like but I mean that's a really good example like you could definitely in theory build up non-deterministic style things to go in particular if you can already hook in agents into your PR workflows or your reviews you could literally go does hey does this change influence or anything inside of this threat model file and because obviously knowing how to read the spec is quite simplistic for a text

machine. I mean, that that's awesome. It literally could be cool. Yeah. You know what this does? We think this change that you've implemented for authorization controls adds a couple of controls or it potentially bumps the risk reduction targets up or whatever. Um, no, it's a great idea and I'm absolutely going to take that to work. Um, any other questions? Yes. >> Are you feeding the like knowledge of stride or like giving that background information? >> No. No. And that's yeah, good point. It definitely has it in there cuz I think the new ver like Claude Sonnet or whatever it is is a pretty upto-date model and they certainly would have slurped up all the open source OASP

material. So they would have some of that but you're right none of that was pre-prompted and you could certainly make that smarter by adding more layers of knowledge in the front. Um, we're doing a lot of exploration right now for auto code review things, but we're feeding it knowledge of our secure coding guidelines. So, it's not just about a software developer getting an automatic peer review that says this is how the industry addresses cross-ite scripting. It's about understanding how we actually do it using the platforms and frameworks inside of our organization. So, that could definitely be better with targeted stuff. And and you're so you're relying on the developer to go and update the HDL. So

they put a control in place, but have you had anybody driving it from a juro ticket to update the HDL? >> No. >> Developers love to the tickets, right? They'd rather do that sometimes than update HDL. Yeah, I guess the next future panacea step would be automation that can look at a Jira ticket and has a relationship with your git repo and it can action the you know the Jira ticket is update the threat model here's the repo and then an agent picks it up and does it so in theory we're seeing orchestration things that can help achieve that but I haven't seen anything like that um HCL files like it's working at Hashikorp and seeing how They were so

the Hashikor cloud platform is obviously built entirely on Terraform and their own container orchestration system and stuff like that. I'd never seen HCL like they had written inside their own company and that certainly for me was a big like working at places that used a lot of Terraform seeing the massive differences between how people did it. This falls a little bit into that. Like I kind of feel like if your comfort level with HDL is light, you can probably keep them simple. If it's much more complicated, using mod like modular uh control libraries and stuff like that could be something to explore. Yes. >> Is this something you trying to push them to? >> Yeah, we're definitely trying to push

this way. It's complicate like it's complicated. Our scale is big. We do a lot of threat assessments and we have a lot of orchestration around how we do those things. We're building right now a lot of automated systems and stuff like that and building a lot of agentic things internally for our own stuff. Um but yeah definitely like the internal Atassian system of work is pretty like they do have a strong bias towards if the document like Hashi um Hashi Corp was all about if it's not documented in a git repo then it doesn't exist. Hashi uh at lassian is like if it's not on a confluence page. So the source of truth is basically juror tickets and

confluence pages. I do have some f I I do have some stuff that I worked on on this where it can generate um Atlassian document formatted outputs. So you can export it into like ADF and then you can get different utilities to then use that to update confluence pages. So your orchestration literally could be you manage your threat model in your source code repository. The workflow then updates a confluence page, but it's pretty hacky. Like it's not not at scale. Um, any other questions? Oh, yes. Right up the back. >> Is there a language server or

>> Yeah. So, I installed the Terraform one and it kind of does some of the highlighting, but it doesn't that there's no LSP for the syntax of the specification. So, you can make it look a little prettier, but it definitely won't go hang on, you just typed, you know, like a in your data flow diagram, you've put a process, but you've typed process like I haven't there's nothing like that. Um, but that's a really good idea that um hope maybe that's not too difficult. Um, if you are bored, please uh go to the GitHub site and feel free to have a look and if you want to commit it yourself, that'll be magic. Um, awesome. Thank you all so much. I guess

handing over to you folks.