Making the Case for Cybersecurity
encapsulate cybersecurity-relevant knowledge in a form that analytics tools can act upon. They form the semantic backbone of the pipelines, enabling seamless, automated handoffs. The most critical of these messages include:
• System knowledge: formal, structured facts about the system’ s architecture, behavior, data types, interfaces, and dependencies.
• Attack knowledge: items enumerating generic offensive techniques( e. g. from ATT & CK or CAPEC) and tailored, system-specific attacks paths.
• Threat Intelligence: items enumerating motivated and capable attackers of the specific deployment environment, their preferred techniques and the likelihood of attacks in this environment.
• Vulnerability knowledge: items enumerating generic weakness patterns( CWE) or known component vulnerabilities( CVE), and specific, contextualized vulnerability conditions identified in the system of interest.
• Defense knowledge: items enumerating generic defensive techniques and controls( e. g. from D3FEND or NIST 800-53) and tailored controls for the system of interest.
• Assurance knowledge: structured arguments and evidence that link system facts and mitigations to claims about mission security.
In this framework, these knowledge items are not static— they are continuously ingested, transformed, and linked through inference engines. Cybersecurity becomes a data-driven process powered by a bespoke, contextualized data lake, continuously updated with both community-curated repositories and system-specific facts.
1.3 FROM TOOL-CENTRIC PIPELINES TO KNOWLEDGE PIPELINES
Traditional DevOps and DevSecOps pipelines are focused on coarse-grained artifacts— code repositories, containers, and static configuration files. Even when security scans are included, they remain reactive and detached from the evolving mission context.
In contrast, risk-centric DevSecOps introduces a fine-grained, semantically rich knowledge pipeline. Instead of moving only files, the pipeline moves structured knowledge items: model elements, claims, evidence, and risk inferences. It starts not with source code, but with a mission model. It continues through requirements definition, system modeling, software development, testing and evaluation, and into runtime monitoring— driven by a formal, continuously updated assurance argument.
The DevSecOps pipeline evolves into a distributed model-based reasoning system, contributing to a living cybersecurity assurance case. As models change, new vulnerabilities are discovered, or system configurations are updated, only the affected claims are re-evaluated. This allows teams to reason about cyber risk continuously, and at the speed of modern development.
40 May 2025