Enhancing Software Supply Chain Security Through STRIDE-Based Threat Modelling of CI/CD Pipelines

📅 2025-06-06
📈 Citations: 0
Influential: 0
📄 PDF

career value

164K/year
🤖 AI Summary
This paper addresses the insufficient identification and mitigation of software supply chain security risks throughout the CI/CD pipeline lifecycle. We propose a structured threat modeling methodology grounded in the STRIDE framework, applied incrementally across core infrastructure components—including GitHub, Jenkins, Docker, and Kubernetes—to cover all phases from source code management to production deployment. A novel integration of STRIDE with the SLSA maturity model enables quantitative assessment of how specific security controls elevate SLSA compliance levels. By unifying Security as Code principles with the “Shift Left–Shield Right” paradigm, our approach realizes threat-driven, automated security enforcement. The outcomes include a structured threat–control mapping matrix and an actionable CI/CD security hardening roadmap, directly supporting DevSecOps adoption and progressive SLSA compliance advancement.

Technology Category

Application Category

📝 Abstract
With the increasing adoption of Continuous Integration and Continuous Deployment pipelines, securing software supply chains has become a critical challenge for modern DevOps teams. This study addresses these challenges by applying a structured threat modeling approach to identify and mitigate risks throughout the CI/CD lifecycle. By modeling a representative pipeline architecture incorporating tools such as GitHub, Jenkins, Docker, and Kubernetes and applying the STRIDE framework, we systematically analyze vulnerabilities at each stage, from source code management to deployment. Threats are documented and mapped to comprehensive security controls drawn from standards like NIST SP 800-218, OWASP Top 10 CI/CD risks, and the SLSA framework. Controls are further evaluated against SLSA maturity levels to assess improvements in trust and provenance. To operationalize these findings, the study outlines a practical security toolchain integration strategy grounded in Security as Code and Shift Left-Shield Right principles, enabling automated, enforceable security across the pipeline. This approach provides a pragmatic roadmap for enhancing CI/CD pipeline security against evolving software supply chain threats.
Problem

Research questions and friction points this paper is trying to address.

Identifying and mitigating risks in CI/CD pipelines using STRIDE threat modeling
Analyzing vulnerabilities from source code to deployment with GitHub, Jenkins, Docker, Kubernetes
Enhancing CI/CD security via NIST, OWASP, and SLSA-based controls and toolchain integration
Innovation

Methods, ideas, or system contributions that make the work stand out.

STRIDE framework for CI/CD threat modeling
Security controls from NIST, OWASP, SLSA
Security as Code and Shift Left-Shield Right
🔎 Similar Papers
No similar papers found.