The Open-Radio Access Network (O-RAN) integrates numerous software components in a cloud-like deployment, opening the radio access network to previously unconsidered security threats. With the ever-evolving threat landscape, integrating security practices through a DevSecOps approach is essential for fast and secure releases. Current vulnerability assessment practices often rely on manual, labor-intensive, and subjective investigations, leading to inconsistencies in the threat analysis. To mitigate these issues, we establish an automated pipeline that leverages Natural Language Processing (NLP) to minimize human intervention and associated biases. By mapping real-world vulnerabilities to predefined threat lists with a standardized input format, our approach is the first to enable iterative, quantitative, and efficient assessments, generating reliable threat scores for both individual vulnerabilities and entire system components within O-RAN. We illustrate the effectiveness of our framework through an example implementation for O-RAN, showcasing how continuous security testing can integrate into automated testing pipelines to address the unique security challenges of this paradigm shift in telecommunications.
翻译:开放式无线接入网络(O-RAN)在类云化部署中集成了大量软件组件,使得无线接入网络面临以往未曾考虑的安全威胁。面对不断演变的威胁态势,通过DevSecOps方法集成安全实践对于实现快速且安全的版本发布至关重要。当前的漏洞评估实践通常依赖人工、劳动密集且主观的调查,导致威胁分析结果缺乏一致性。为缓解这些问题,我们构建了一个利用自然语言处理(NLP)技术以最大限度减少人工干预及相关偏见的自动化流水线。通过将现实漏洞以标准化输入格式映射至预定义威胁清单,我们的方法首次实现了迭代式、定量化且高效的评估,能够为O-RAN中的单个漏洞及完整系统组件生成可靠的威胁评分。我们通过一个面向O-RAN的实例实施方案展示了该框架的有效性,说明了持续安全测试如何融入自动化测试流水线,以应对电信领域这一范式转换所带来的独特安全挑战。