Skip to content
/ astra-threat-modeling-framework Public

ASTRA (Architecture and Security Threat Review and Analysis) is a collaborative, business-driven methodology for security architecture review and threat modeling. NOT an audit.

License

View license
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

steve-gibbons/astra-threat-modeling-framework

BranchesTags

Repository files navigation

ASTRA Threat Modeling and Security Architecture Review Framework

ASTRA Logo Version

github.com/steve-gibbons/astra-threat-modeling-framework

About ASTRA

ASTRA (Architecture and Security Threat Review and Analysis) is a lightweight, collaborative, business-driven security architecture and risk review methodology developed from over 25 years of frontline experience at Wells Fargo, American Express, Ameriprise Financial, and IBM.

Designed to eliminate unnecessary complexity, ASTRA enables meaningful risk discovery through structured yet accessible processes. Most small to medium implementations can be interviewed within 2 to 4 hours, often yielding immediate preliminary insights, without requiring specialized training for participants.

ASTRA is not an audit. It is an inquisitive, improvement-focused exercise aimed at enhancing resilience, security, and governance through:

  • Business context alignment
  • System architecture discovery
  • Structured interviews
  • Prioritized risk analysis
  • Actionable improvement recommendations

ASTRA emphasizes:

  • Business alignment – Grounded in real-world mission and operational goals
  • Simplicity of execution – Uses clear templates and plain language
  • Operational transparency – Encourages open discussion and traceability
  • Scalable structure – Adaptable to both startups and enterprise environments
  • Collaboration over confrontation – Findings are meant to improve, not punish
  • Action over theory – Designed to yield tangible, practical outcomes

Use Cases

ASTRA is suitable for:

  • Internal system or service assessments
  • Vendor or third-party risk evaluations
  • Cloud architecture and migration planning
  • Privacy and compliance readiness
  • M&A and investment due diligence
  • Emerging tech and AI risk reviews

What's Included

This repository provides a complete toolkit for ASTRA-based evaluations, including:

  • Astra Practitioner’s Manual – Step-by-step guidance for facilitators and teams
  • Unified Working Spreadsheet – Main artifact for logging risks, assumptions, and action items
  • Business Context Questionnaire – Captures stakeholder goals and constraints
  • Technical Architecture Questionnaire – Documents design, boundaries, and dependencies
  • Quick Guide to Spreadsheet Usage – Field reference for common terms and practices
  • Sample Filled Tables – Example risks, observations, and scoring
  • Risk Matrix Reference – Integrated into the Practitioner’s Manual v1.2.0
  • Client-Facing Guide – Introductory handout to align expectations and explain process

Repository Structure

Folder Purpose
/templates/ Operational templates including spreadsheets and questionnaires
/examples/ Filled sample tables and scoring charts
/client-facing/ Materials to onboard clients and stakeholders unfamiliar with ASTRA

Quick Start

  1. Review the ASTRA Practitioner’s Manual for methodology and process guidance.
  2. Download the Unified Working Spreadsheet and questionnaires.
  3. Gather business and technical context using the provided templates.
  4. Conduct structured interviews and document findings in the spreadsheet.
  5. Prioritize risks using the built-in scoring model.
  6. Share findings using the reporting structure described in the Practitioner’s Manual.

No specialized tooling is required—ASTRA is designed to work with standard spreadsheet applications and meet teams where they are.

License

This project is licensed under the Creative Commons Attribution 4.0 International License (CC BY 4.0).

Attribution:
“ASTRA Threat Modeling and Security Architecture Review Framework, developed by Steve Gibbons.”

See LICENSE for full terms.

Contributions

Contributions are welcome.
To propose edits, suggest templates, or share experiences using ASTRA, please open an issue or submit a pull request.

Contributors are expected to align with ASTRA’s philosophy of collaboration, inclusion, and continuous improvement.

About This Project

ASTRA is dedicated to my fiancée, Karen, who inspires me to seek the light, to fight the Dark Side, and to believe that clarity, collaboration, and resilience are forces for good — in both life and work.

This framework is my contribution back to the security and risk management community that shaped me. It reflects decades of field experience, and the belief that we can build better systems not by adding more friction, but by focusing on what matters.

In a time of economic uncertainty and shifting priorities, ASTRA is also a personal statement:

I’m still here.
I’m still building.
I’m still fighting for what matters.

— Steve Gibbons

About

ASTRA (Architecture and Security Threat Review and Analysis) is a collaborative, business-driven methodology for security architecture review and threat modeling. NOT an audit.

Topics

framework cybersecurity infosec grc threat-modeling risk-management security-architecture open-source-security

Resources

Readme

License

View license
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 2

Going public Latest
Apr 26, 2025
+ 1 release

Packages

No packages published