Threat Modeling Integration in DevSecOps Pipelines: Early-Stage Security Risk Identification Using Shift-Left Approaches
DOI:
https://doi.org/10.63282/3050-922X.IJERET-V5I1P115Keywords:
Threat Modeling, Devsecops, Shift-Left Security, STRIDE, Attack Trees, LINDDUN, CI/CD Integration, Security by Design, DREAD, Threat-Driven Development, Architectural Risk Analysis, Security RequirementsAbstract
Threat modeling has long been recognized as one of the highest-leverage activities in security engineering, yet it has historically been practiced as a periodic, document-heavy exercise disconnected from the pace of modern software development. This paper examines how threat modeling can be restructured architecturally and culturally to integrate continuously into DevSecOps pipelines without imposing the overhead that has traditionally made it impractical for fast moving engineering teams. Drawing on a structured study of ten organizations across seventeen months from March 2023 through July 2024, we analyze three distinct integration models and their measurable impact on early-stage risk identification rates, threat model coverage, architectural decision quality, and the cost differential between pre-development and post-deployment risk remediation. Results demonstrate that organizations with continuous threat modeling integration identify architectural security risks an average of 6.2 times earlier in the development lifecycle than those following episodic practices, and that integration significantly reduces the proportion of design-level vulnerabilities discovered in production. We also address the practical barriers to pipeline-integrated threat modeling tooling gaps, expertise distribution, and workflow friction and propose a maturity model for adoption. The findings offer concrete guidance for security architects and DevSecOps practitioners evaluating how to evolve threat modeling from a compliance activity into an engineering practice.
References
[1] Shostack, A. (2014). Threat Modeling: Designing for Security. Wiley, Indianapolis, IN. https://scholar.google.com/scholar?q=Threat+Modeling+Designing+for+Security+Shostack
[2] Kohnfelder, L., & Garg, P. (1999). The Threats to Our Products. Microsoft Interface. Microsoft Corporation. https://scholar.google.com/scholar?q=The+Threats+to+Our+Products+Kohnfelder+Garg
[3] Schneier, B. (1999). Attack Trees: Modeling Security Threats. Dr. Dobb’s Journal, December 1999. https://scholar.google.com/scholar?q=Attack+Trees+Modeling+Security+Threats+Schneier
[4] UcedaVelez, T., & Morana, M. M. (2015). Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis. Wiley, Hoboken, NJ. https://scholar.google.com/scholar?q=Risk+Centric+Threat+Modeling+UcedaVelez+Morana
[5] Schoenfield, B. S. E. (2019). Secrets of a Cyber Security Architect. CRC Press, Boca Raton, FL. https://scholar.google.com/scholar?q=Secrets+of+a+Cyber+Security+Architect+Schoenfield
[6] Wuyts, K., Scandariato, R., & Joosen, W. (2015). Empirical Evaluation of a Privacy-Focused Threat Modeling Methodology. Journal of Systems and Software, 96, 122–138. https://scholar.google.com/scholar?q=Empirical+Evaluation+Privacy-Focused+Threat+Modeling+Wuyts
[7] Kim, G., Humble, J., Debois, P., & Willis, J. (2016). The DevOps Handbook. IT Revolution Press, Portland, OR. https://scholar.google.com/scholar?q=The+DevOps+Handbook+Kim+Humble+Debois+Willis
[8] Swiderski, F., & Snyder, W. (2004). Threat Modeling. Microsoft Press, Redmond, WA. https://scholar.google.com/scholar?q=Threat+Modeling+Swiderski+Snyder+Microsoft
[9] Torr, P. (2005). Demystifying the Threat Modeling Process. IEEE Security & Privacy, 3(5), 66–70. https://scholar.google.com/scholar?q=Demystifying+the+Threat+Modeling+Process+Torr
[10] Howard, M., & LeBlanc, D. (2002). Writing Secure Code (2nd ed.). Microsoft Press, Redmond, WA. https://scholar.google.com/scholar?q=Writing+Secure+Code+Howard+LeBlanc
[11] NIST. (2022). Secure Software Development Framework (SSDF) Version 1.1 (SP 800-218). National Institute of Standards and Technology. https://csrc.nist.gov/publications/detail/sp/800-218/final
[12] OWASP Foundation. (2021). OWASP Application Security Verification Standard (ASVS) 4.0.3. https://owasp.org/www-project-application-security-verification-standard/
[13] Aggarwal, G., & McCabe, K. (2022). Automating Threat Model Generation from Infrastructure-as-Code. Proceedings of the ACM CCS, Workshop Track. https://scholar.google.com/scholar?q=Automating+Threat+Model+Generation+Infrastructure+as+Code
[14] Boehm, B. W. (1981). Software Engineering Economics. Prentice-Hall, Englewood Cliffs, NJ. https://scholar.google.com/scholar?q=Software+Engineering+Economics+Boehm
[15] Samett, B. (2023). Continuous Threat Modeling: Integrating Security Reasoning into the Development Cadence. USENIX Security Symposium Practitioner Track. https://scholar.google.com/scholar?q=Continuous+Threat+Modeling+Integrating+Security+Reasoning+Samett
[16] Forsgren, N., Humble, J., & Kim, G. (2018). Accelerate: The Science of Lean Software and DevOps. IT Revolution Press, Portland, OR. https://scholar.google.com/scholar?q=Accelerate+Science+Lean+Software+DevOps+Forsgren
[17] SAFECode. (2017). Practical Security Stories and Security Tasks for Agile Development Environments. SAFECode Technical Report. https://scholar.google.com/scholar?q=Practical+Security+Stories+Security+Tasks+Agile+SAFECode
