Leveraging zero trust and risk indicators to support continuous vulnerability compliance
DOI:
https://doi.org/10.5753/jisa.2026.5922Keywords:
Continuous Compliance, Vulnerability Management, Zero Trust Architecture, Incident Response, Identity Provisioning, Supply Chain, SPIREAbstract
Open source dependencies are the leading source of vulnerabilities in applications and are often exploited in software supply chain attacks. Efforts to assess vulnerabilities are employed during DevSecOps pipelines in order to keep a system compliant with security regimes. However, current strategies for continuous compliance are limited to preventing issues before deployment, and thus do not address changes in dynamic aspects such as newfound vulnerabilities, let alone how to respond to such incidents. In this work, we leverage zero-trust to enable continuous, post-deployment vulnerability compliance assessment, isolating workloads that fail to meet a minimum security posture. This approach balances exploitation prevention with application availability --- a fundamental trade-off for critical use cases. The solution is built on top of SPIRE, a robust open-source identity provider based on workload attestation, and implements a custom plugin that responds to compliance violations driven by dynamic aspects exposed by OWASP's Dependency Track, an open-source tool for monitoring software components and their dependencies for vulnerabilities. To enhance flexibility in the security-availability trade-off, we introduce a grace period mechanism, enabling organizations to defer enforcement of newly identified vulnerabilities based on workload criticality, thus supporting availability for non-critical workloads without compromising long-term security. Finally, we evaluate the performance impact of this approach on a SPIRE environment, showing that the added resource usage reliably remains within the recommended 16 GiB of RAM and 4 vCPUs to run Dependency Track in production. We also show that the plugin adds less than 6 seconds of latency to the attestation process, which is insignificant given its default frequency of twice per hour. Moreover, the results confirm that the approach successfully prevents vulnerability exploitation by prioritizing security, while enabling controlled flexibility in less critical contexts.
Downloads
References
Agarwal, V., Butler, C., Degenaro, L., Kumar, A., Sailer, A., and Steinder, G. (2022). Compliance-as-code for cybersecurity automation in hybrid cloud. In 2022 IEEE 15th International Conference on Cloud Computing (CLOUD), pages 427-437. DOI: 10.1109/CLOUD55607.2022.00066.
Babakian, A., Monclus, P., Braun, R., and Lipman, J. (2022). A retrospective on workload identifiers: From data center to cloud-native networks. IEEE Access, 10:105518-105527. DOI: 10.1109/ACCESS.2022.3211293.
Buck, C., Olenberger, C., Schweizer, A., Völter, F., and Eymann, T. (2021). Never trust, always verify: A multivocal literature review on current knowledge and research gaps of zero-trust. Computers & Security, 110:102436. DOI: 10.1016/j.cose.2021.102436.
Chen, B., Qiao, S., Zhao, J., Liu, D., Shi, X., Lyu, M., Chen, H., Lu, H., and Zhai, Y. (2021). A security awareness and protection system for 5g smart healthcare based on zero-trust architecture. IEEE Internet of Things Journal, 8(13):10248-10263. DOI: 10.1109/JIOT.2020.3041042.
CISA (2023a). When to issue vex information. Available at: [link] Last accessed on April 13th, 2025.
CISA (2023b). Zero trust maturity model v2.0. vailable at: [link] Last accessed April 13th, 2025.
CISA (2025). Stakeholder-specific vulnerability categorization (ssvc). Available at: [link] Last accessed April 13th, 2025.
CNCF (2024). Graduated and incubating projects -- cncf.io. Available at: [link] Last accessed April 13th, 2025.
CVE (2025). Cve numbering authorities (cnas). Available at: [link] Last accessed August 06th, 2025.
CycloneDX Core Working Group (2024). Cyclonedx: Authoritative guide to sbom. Available at: [link] Last accessed April 13th, 2025.
Cyentia Institute and Kenna Security (2022). Prioritization to prediction volume 8: Measuring and minimizing exploitability. Technical report, Cyentia Institute. Available at: [link] Last accessed on April 13th, 2025.
de Weever, C. and Andreou, M. (2020). Zero trust network security model in containerized environments. University of Amsterdam: Amsterdam, The Netherlands. Available at: [link].
Envoy Project (2025). Envoy proxy. Avalable at: [link] Last accessed August 06th, 2025.
Fang, R., Bindu, R., Gupta, A., and Kang, D. (2024). Llm agents can autonomously exploit one-day vulnerabilities. DOI: 10.48550/arXiv.2404.08144.
FIRST (2024). Exploit prediction scoring system (epss) -- first.org. Available at:[link] Last accessed April 13th, 2025.
Gamblin, J. (2024). 2023 cve data review -- jerrygamblin.com. Available at: [link] Last accessed April 13th, 2025.
GSA, U. (2024). Documents & templates | fedramp.gov -- fedramp.gov. Available at: [link] Last accessed April 13th, 2025.
He, Y., Huang, D., Chen, L., Ni, Y., Ma, X., and Huo, Y. (2022). A survey on zero trust architecture: Challenges and future trends. Wirel. Commun. Mob. Comput., 2022. DOI: 10.1155/2022/6476274.
IBM (2024a). The kerberos ticket -- ibm.com. Available at: [link] Last accessed April 13th, 2025.
IBM (2024b). Solarwinds orion (cve-2020-10148) -- ibm.com. Available at: [link] Last accessed April 13th, 2025.
Inc., W. (2024). The leading open-source iam solution -- wso2.com. Available at: [link] Last accessed April 13th, 2025.
ITU (2020). Security requirements of public infrastructure as a service (iaas) in cloud computing (recomendation itu-t x.1605). Available at: [link].
Jacobs, J., Romanosky, S., Edwards, B., Adjerid, I., and Roytman, M. (2021). Exploit prediction scoring system (epss). Digital Threats, 2(3). DOI: 10.1145/3436242.
Johnson, P., Lagerström, R., Ekstedt, M., and Franke, U. (2018). Can the common vulnerability scoring system be trusted? a bayesian analysis. IEEE Transactions on Dependable and Secure Computing, 15(6):1002-1015. DOI: 10.1109/TDSC.2016.2644614.
Kellogg, M., Schäf, M., Tasiran, S., and Ernst, M. D. (2021). Continuous compliance. In Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering, ASE '20, page 511–523, New York, NY, USA. Association for Computing Machinery. DOI: 10.1145/3324884.3416593.
Lin, J., Adams, B., and Hassan, A. E. (2023). On the coordination of vulnerability fixes: An empirical study of practices from 13 cve numbering authorities. Empirical Software Engineering, 28(6):151. DOI: 10.1007/s10664-023-10403-x.
NVD (2025). Nvd - cve-2024-3094 -- nvd.nist.gov. Available at: [link] Last accessed April 13th, 2025.
Nygard, C. (2021). Compliance in a devops culture -- martinfowler.com. Available at: [link] Last accessed on April 13th, 2025.
PCI Security Standards Council (2024). Official pci security standards council site. Available at: [link] Last accessed April 13th, 2025.
Ramaj, X., Sánchez-Gordón, M., Gkioulos, V., Chockalingam, S., and Colomo-Palacios, R. (2022). Holding on to compliance while adopting devsecops: An slr. Electronics, 11(22). DOI: 10.3390/electronics11223707.
Rose, S., Borchert, O., Mitchell, S., and Connelly, S. (2020). Zero trust architecture. DOI: 10.6028/NIST.SP.800-207.
Sigstore (2024). Signing -- docs.sigstore.dev. Available at: [link] Last accessed April 13th, 2025.
Sirish, A. and Hennen, T. (2024). in-toto and slsa -- slsa.dev. Available at: [link] Last accessed April 13th, 2025.
SLSA Specification (2025). Slsa v1.0 security levels. Available at: [link] Last accessed April 13th, 2025.
Sonatype (2022). 8th state of the software supply chain. Available at: [link] Last accessed April 13th, 2025.
Sonatype (2023). 9th state of the software supply chain. Available at: [link] Last accessed April 13th, 2025.
SPIFFE (2025a). Github - spiffe/spiffe-helper: The spiffe helper is a tool that can be used to retrieve and manage svids on behalf of a workload -- github.com. Available at: [link] Last accessed April 13th, 2025.
SPIFFE (2025b). Spire concepts. Available at: [link] Last accessed August 6th, 2025.
SPIFFE Project (2025). spire/adopters.md at main · spiffe/spire -- github.com. Available at: [link] Last accessed April 13th, 2025.
Springett, S. (2024). Deploying docker container -- docs.dependencytrack.org. Available at: [link] Last accessed April 13th, 2025.
Steffens, A., Lichter, H., and Moscher, M. (2018). Towards data-driven continuous compliance testing. In Software Engineering. Available at: [link].
Syed, N. F., Shah, S. W., Shaghaghi, A., Anwar, A., Baig, Z., and Doss, R. (2022). Zero trust architecture (zta): A comprehensive survey. IEEE Access, 10:57143-57179. DOI: 10.1109/ACCESS.2022.3174679.
Synopsys (2024). Open source security & risk analysis report (ossra) | synopsys -- synopsys.com. Available at: [link] Last accessed April 13th, 2025.
Torkura, K. A. and Meinel, C. (2016). Towards vulnerability assessment as a service in openstack clouds. In 2016 IEEE 41st Conference on Local Computer Networks Workshops (LCN Workshops), pages 1-8. DOI: 10.1109/LCN.2016.022.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2026 Journal of Internet Services and Applications
This work is licensed under a Creative Commons Attribution 4.0 International License.
