This work addresses the novel security threats introduced by the highly software-defined nature of O-RAN architectures and the limitations of traditional manual vulnerability assessment methods, which suffer from subjectivity, low efficiency, and inconsistent outcomes. To overcome these challenges, the paper presents the first automated threat analysis pipeline tailored for O-RAN, integrating natural language processing with standardized threat modeling to automatically map real-world vulnerabilities to a unified threat catalog and generate quantitative threat scores at both component and system levels. The proposed approach seamlessly integrates into DevSecOps workflows, substantially reducing manual intervention and assessment bias, thereby demonstrating the feasibility of achieving efficient, consistent, and scalable security evaluations within O-RAN continuous integration environments.

The Open-Radio Access Network (O-RAN) integrates numerous software components in a cloud-like deployment, opening the radio access network to previously unconsidered security threats. With the ever-evolving threat landscape, integrating security practices through a DevSecOps approach is essential for fast and secure releases. Current vulnerability assessment practices often rely on manual, labor-intensive, and subjective investigations, leading to inconsistencies in the threat analysis. To mitigate these issues, we establish an automated pipeline that leverages Natural Language Processing (NLP) to minimize human intervention and associated biases. By mapping real-world vulnerabilities to predefined threat lists with a standardized input format, our approach is the first to enable iterative, quantitative, and efficient assessments, generating reliable threat scores for both individual vulnerabilities and entire system components within O-RAN. We illustrate the effectiveness of our framework through an example implementation for O-RAN, showcasing how continuous security testing can integrate into automated testing pipelines to address the unique security challenges of this paradigm shift in telecommunications.