You need to develop a curriculum for a 'Secure Software Architecture' course. How would you integrate threat modeling (e.g., STRIDE, DREAD) and security design principles (e.g., least privilege, defense-in-depth) throughout the modules, ensuring practical application and not just theoretical understanding for architects and senior developers?

Employ a MECE (Mutually Exclusive, Collectively Exhaustive) approach, structuring modules around the Secure Software Development Lifecycle (SSDLC) phases. Integrate threat modeling (STRIDE, DREAD) into the 'Design' and 'Requirements' modules, emphasizing hands-on workshops for identifying threats and vulnerabilities. Embed security design principles (Least Privilege, Defense-in-Depth, Secure Defaults, Separation of Concerns) within 'Architecture Patterns' and 'Implementation' modules, using case studies and refactoring exercises. Dedicate a 'Verification' module to security testing (SAST, DAST, IAST) and incident response planning, linking back to initial threat models. Conclude with a 'Maintenance' module covering continuous monitoring and threat intelligence integration, ensuring practical, iterative application.

I would integrate threat modeling and security design principles using a phased, hands-on approach aligned with the Secure Software Development Lifecycle (SSDLC). The curriculum would begin with a 'Foundations' module introducing core concepts and the importance of security-by-design. 'Requirements & Design' modules would deeply embed STRIDE and DREAD, utilizing interactive workshops where participants apply these frameworks to real-world or simulated architectural diagrams, identifying potential threats and vulnerabilities. Subsequent 'Architecture Patterns & Principles' modules would then introduce and apply principles like Least Privilege, Defense-in-Depth, Secure Defaults, and Fail Securely, demonstrating how they directly mitigate the threats identified earlier. Each principle would be reinforced through practical coding exercises, architectural reviews, and refactoring challenges. A 'Verification & Validation' module would focus on security testing (SAST, DAST, IAST) and incident response, showing how testing validates the effectiveness of applied principles and threat model assumptions. Finally, a 'Continuous Security' module would cover integrating threat intelligence and continuous monitoring, emphasizing that security is an ongoing process, not a one-time event. This iterative, practical application ensures architects and senior developers gain actionable skills.