Prioritize issues found during threat modeling within the backlog.
Remember, in a continuous development model (Agile or CI/CD), you’re going to be threat modeling as an out-of-band process. Thus, issues found may show up at any time during the threat modeling process. This may mean after development sprints are underway. Write up these issues as user stories and prioritize them on the backlog during a bug wash or sprint planning session—just as any other user story or defect.
It may be necessary to ‘pull the chain and stop the train’ to fix a serious issue found in a threat model.
I was once involved in a threat modeling exercise where we identified that the authentication module in a system handling protected health information (PHI) was seriously broken. The development team was in the middle of one of the last sprints in a release commitment. The current sprint was cancelled and priorities were rearranged.
Since threat modeling involves at least some of the Principals on the development team, it shouldn’t be a surprise to the team if there’s a disruption to resolve a serious security flaw identified through threat modeling.