Autors: Nikolov, L. A., Aleksieva-Petrova, A. P.
Title: Framework for Integrating Threat Modeling into a DevOps Pipeline for Enhanced Software Development
Keywords: DevOps, DevSecOps, Jenkins, pipeline, threat modeling

Abstract: In the realm of continuous integration and continuous deployment (CI/CD), safeguarding software systems is crucial. Integrating threat modeling into the DevOps pipeline ensures that security considerations are an integral part of the software development process, helping to prevent vulnerabilities from being introduced into production. This study outlines a detailed framework for embedding threat modeling into a Jenkins DevOps pipeline. The framework involves incorporating threat model results into a database and using this data to perform automated security scans. Three challenges are identified in integration of security in DevOps pipeline and discussed against the proposed framework.

References

  1. Rajapakse, R. N., Zahedi, M., & Babar, M. A. (2021, October). An empirical analysis of practitioners' perspectives on security tool integration into devops. In Proceedings of the 15th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM) (pp. 1-12)
  2. Battina, Dhaya Sindhu. Best practices for ensuring security in Devops: A case study approach. International Journal of Innovations in Engineering Research and Technology, 2017, 4. 11: 38-45.
  3. Ur Rahman, Akond Ashfaque; Williams, Laurie. Security practices in DevOps. In: Proceedings of the Symposium and Bootcamp on the Science of Security. 2016. p. 109-111.
  4. Rangnau, Thorsten, et al. Continuous security testing: A case study on integrating dynamic security testing tools in ci/cd pipelines. In: 2020 IEEE 24th International Enterprise Distributed Object Computing Conference (EDOC). IEEE, 2020. p. 145-154.
  5. Sandu, Arun Kumar. "DevSecOps: Integrating Security into the DevOps Lifecycle for Enhanced Resilience. " Technology & Management Review 6 (2021): 1-19.
  6. Abiona, O. O., Oladapo, O. J., Modupe, O. T., Oyeniran, O. C., Adewusi, A. O., and Komolafe, A. M. The emergence and importance of DevSecOps: Integrating and reviewing security practices within the DevOps pipeline. World Journal of Advanced Engineering Technology and Sciences, 11 (2) (2024), 127-133.
  7. Marback, A., Do, H., He, K., Kondamarri, S., and Xu, D. A threat model-based approach to security testing. Software: Practice and Experience, 43 (2) (2013), 241-258.
  8. Hong, Jin-Keun. "Component Analysis of DevOps and DevSecOps. " Journal of The Korea Convergence Society 10. 9 (2019): 47-53.
  9. Sion, L., Van Landuyt, D., Yskout, K., Verreydt, S., and Joosen, W. Automated threat analysis and management in a continuous integration pipeline. In 2021 IEEE Secure Development Conference (SecDev) (pp. 30-37). IEEE (2021, October).
  10. Moyon, F., Soares, R., Pinto-Albuquerque, M., Mendez, D., & Beckers, K. (2020). Integration of security standards in devops pipelines: An industry case study. In Product-Focused Software Process Improvement: 21st International Conference, PROFES 2020, Turin, Italy, November 25-27, 2020, Proceedings 21 (pp. 434-452). Springer International Publishing.
  11. Rafi, Saima, et al. "Prioritization based taxonomy of DevOps security challenges using PROMETHEE. " IEEE Access 8 (2020): 105426-105446.
  12. Wolf, A., Simopoulos, D., D'Avino, L., & Schwaiger, P. The PASTA threat model implementation in the IoT development life cycle. Lecture Notes in Informatics (LNI), 2021.
  13. Nikolov, Lyuben Asenov, and Adelina Plamenova Aleksieva-Petrova. "Action Research on the DevSecOps Pipeline. " 2023 International Scientific Conference on Computer Science (COMSCI). IEEE, 2023.
  14. UcedaVelez, Tony, and Marco M. Morana. Objectives and Benefits of Threat Modeling. John Wiley & Sons, Incorporated, 2015.: 63-136.

Issue

2024 32nd International Conference on Software, Telecommunications and Computer Networks, SoftCOM 2024, 2024, , https://doi.org/10.23919/SoftCOM62040.2024.10721871

Цитирания (Citation/s):
1. Basic M., Moric Z., Redzepagic J., Torbar J., Securing the development and delivery of modern applications, 2025, Edelweiss Applied Science and Technology, issue 1, vol. 9, pp. 421-430, DOI 10.55214/25768484.v9i1.4153, eissn 25768484 - 2025 - в издания, индексирани в Scopus
2. Nicho M., Effiong I., Mcdermott C.D., Shift-Left Security: Integrating Security in the Initial Phase of the DevOps Methodology, 2025, Proceedings 2025 9th International Conference on Cryptography Security and Privacy Csp 2025, issue 0, pp. 182-191, DOI 10.1109/CSP66295.2025.00037 - 2025 - в издания, индексирани в Scopus
3. Zmuda R., Graves R., Shepherd M., Brookes S., SoK: Understanding CI/CD Security: A Comprehensive Review of Architecture, Attacks, and Defenses, 2025, Proceedings 2025 IEEE Secure Development Conference Secdev 2025, issue 0, pp. 58-68, DOI 10.1109/SECDEV66745.2025.00017 - 2025 - в издания, индексирани в Scopus
4. Mohammed K.I., Shanmugam B., El-Den J., Evolution of DevSecOps and Its Influence on Application Security: A Systematic Literature Review, 2025, Technologies, issue 12, vol. 13, DOI 10.3390/technologies13120548, eissn 22277080 - 2025 - в издания, индексирани в Scopus

Вид: публикация в международен форум, публикация в реферирано издание, индексирана в Scopus и Web of Science