An Integrity-Focused Threat Model for Software Development Pipelines

TL;DR

This paper develops a comprehensive threat model for software development pipelines using the STRIDE framework, identifying vulnerabilities and mitigations across all stages to enhance software supply chain security.

Contribution

It introduces a systematic threat model for software pipelines, covering all stages and demonstrating its application through a practical case study.

Findings

Identified key threats in each pipeline stage.

Mapped vulnerabilities to specific attack vectors.

Provided mitigation strategies for software supply chain security.

Abstract

In recent years, there has been a growing concern with software integrity, that is, the assurance that software has not been tampered with on the path between developers and users. This path is represented by a software development pipeline and plays a pivotal role in software supply chain security. While there have been efforts to improve the security of development pipelines, there is a lack of a comprehensive view of the threats affecting them. We develop a systematic threat model for a generic software development pipeline using the STRIDE framework and identify possible mitigations for each threat. The pipeline adopted as a reference comprises five stages (integration, continuous integration, infrastructure-as-code, deployment, and release), and we review vulnerabilities and attacks in all stages reported in the literature. We present a case study applying this threat model to a specific pipeline, showing that the adaptation is straightforward and produces a list of relevant threats.