Threat Model
Overview
This document identifies threats to the Release Orchestrator and their mitigations.
Threat Categories
T1: Credential Theft
| Aspect |
Description |
| Threat |
Attacker gains access to credentials through database breach |
| Attack Vector |
SQL injection, database backup theft, insider threat |
| Assets at Risk |
Registry credentials, vault tokens, SSH keys |
| Mitigation |
Secrets NEVER stored in database; only vault references stored |
| Detection |
Anomalous vault access patterns, failed authentication attempts |
T2: Token Replay
| Aspect |
Description |
| Threat |
Attacker captures and reuses valid JWT tokens |
| Attack Vector |
Man-in-the-middle, log file exposure, memory dump |
| Assets at Risk |
User sessions, API access |
| Mitigation |
Short-lived tokens (15 min), refresh token rotation, TLS everywhere |
| Detection |
Token used from unusual IP, concurrent sessions |
T3: Agent Impersonation
| Aspect |
Description |
| Threat |
Attacker registers fake agent to receive deployment tasks |
| Attack Vector |
Stolen registration token, certificate forgery |
| Assets at Risk |
Deployment credentials, target access |
| Mitigation |
One-time registration tokens, mTLS with CA-signed certs |
| Detection |
Registration from unexpected network, capability mismatch |
T4: Digest Tampering
| Aspect |
Description |
| Threat |
Attacker modifies container image after release creation |
| Attack Vector |
Registry compromise, man-in-the-middle at pull time |
| Assets at Risk |
Application integrity, supply chain |
| Mitigation |
Digest verification at pull time; mismatch = deployment failure |
| Detection |
Pull failures due to digest mismatch |
T5: Evidence Tampering
| Aspect |
Description |
| Threat |
Attacker modifies audit records to hide malicious activity |
| Attack Vector |
Database admin access, SQL injection |
| Assets at Risk |
Audit integrity, compliance |
| Mitigation |
Append-only table, cryptographic signing, no UPDATE/DELETE |
| Detection |
Signature verification failure, hash chain break |
T6: Privilege Escalation
| Aspect |
Description |
| Threat |
User gains permissions beyond their role |
| Attack Vector |
Role assignment exploit, permission bypass |
| Assets at Risk |
Environment access, approval authority |
| Mitigation |
Role-based access, SoD enforcement, audit logs |
| Detection |
Unusual permission patterns, SoD violation attempts |
T7: Supply Chain Attack
| Aspect |
Description |
| Threat |
Malicious plugin injected into workflow |
| Attack Vector |
Plugin repository compromise, typosquatting |
| Assets at Risk |
All environments, all credentials |
| Mitigation |
Plugin sandbox, capability declarations, signed manifests |
| Detection |
Unexpected network egress, resource anomalies |
T8: Lateral Movement
| Aspect |
Description |
| Threat |
Attacker uses compromised target to access others |
| Attack Vector |
Target compromise, credential reuse |
| Assets at Risk |
Other targets, environments |
| Mitigation |
Short-lived task credentials, scoped permissions |
| Detection |
Cross-target credential use, unexpected connections |
T9: Data Exfiltration
| Aspect |
Description |
| Threat |
Attacker extracts logs, artifacts, or configuration |
| Attack Vector |
API abuse, log aggregator compromise |
| Assets at Risk |
Application data, deployment configurations |
| Mitigation |
Encryption at rest, network segmentation, audit logging |
| Detection |
Large data transfers, unusual API patterns |
T10: Denial of Service
| Aspect |
Description |
| Threat |
Attacker exhausts resources to prevent deployments |
| Attack Vector |
API flooding, workflow loop, agent task spam |
| Assets at Risk |
Service availability |
| Mitigation |
Rate limiting, resource quotas, circuit breakers |
| Detection |
Resource exhaustion alerts, traffic spikes |
STRIDE Analysis
| Category |
Threats |
Primary Mitigations |
| Spoofing |
T3 Agent Impersonation |
mTLS, registration tokens |
| Tampering |
T4 Digest, T5 Evidence |
Digest verification, append-only tables |
| Repudiation |
Evidence manipulation |
Signed evidence packets |
| Information Disclosure |
T1 Credentials, T9 Exfiltration |
Vault integration, encryption |
| Denial of Service |
T10 Resource exhaustion |
Rate limits, quotas |
| Elevation of Privilege |
T6 Escalation |
RBAC, SoD enforcement |
Trust Boundaries
Data Classification
| Classification |
Examples |
Protection Requirements |
| Critical |
Vault credentials, signing keys |
Hardware security, minimal access |
| Sensitive |
User tokens, agent certificates |
Encryption, access logging |
| Internal |
Release configs, workflow definitions |
Encryption at rest |
| Public |
API documentation, release names |
Integrity protection |
Security Controls Summary
| Control |
Implementation |
Threats Addressed |
| mTLS |
Agent communication |
T3 |
| Short-lived tokens |
15-min access tokens |
T2 |
| Vault integration |
No secrets in DB |
T1 |
| Digest verification |
Pull-time validation |
T4 |
| Append-only tables |
Evidence immutability |
T5 |
| RBAC + SoD |
Permission enforcement |
T6 |
| Plugin sandbox |
Resource limits, capability control |
T7 |
| Scoped credentials |
Task-specific access |
T8 |
| Encryption |
At rest and in transit |
T9 |
| Rate limiting |
API and resource quotas |
T10 |
Incident Response
Detection Signals
| Signal |
Indicates |
Response |
| Digest mismatch at pull |
T4 Tampering |
Halt deployment, investigate registry |
| Evidence signature failure |
T5 Tampering |
Preserve logs, forensic analysis |
| Unusual agent registration |
T3 Impersonation |
Revoke agent, review access |
| SoD violation attempt |
T6 Escalation |
Block action, alert admin |
| Plugin network egress |
T7 Supply chain |
Isolate plugin, review manifest |
Response Procedures
- Contain - Isolate affected component (revoke token, disable agent)
- Investigate - Collect logs, evidence packets, audit trail
- Remediate - Patch vulnerability, rotate credentials
- Recover - Restore service, verify integrity
- Report - Document incident, update threat model
References
