Using Model-Based Systems Engineering (MBSE) to Assure a DevSecOps Pipeline is Sufficiently Secure
• Technical Report
Publisher
Software Engineering Institute
CMU/SEI Report Number
CMU/SEI-2023-TR-001DOI (Digital Object Identifier)
10.1184/R1/22592884Topic or Tag
Abstract
Many enterprises and government programs are concerned that adversaries may abuse weaknesses in a DevSecOps pipeline to inject exploitable vulnerabilities into their products and services. This report presents an approach using model-based systems engineering (MBSE) and the DevSecOps Platform Independent Model (PIM) to evaluate and mitigate the cybersecurity risks associated with a given enterprise’s or government program’s DevSecOps pipeline(s). The analysis approaches this report describes focus on ensuring that the DevSecOps pipeline and its associated products are implemented in a secure, safe, and sustainable way; are sufficiently free from vulnerabilities; and the capabilities only function as intended. Ultimately, the PIM provides analysts with a minimum set of MBSE tools to assist with threat identification, analysis, documentation, and subsequent mitigations.
Cite This Technical Report
Chick, T., Pavetti, S., & Shevchenko, N. (2023, May 23). Using Model-Based Systems Engineering (MBSE) to Assure a DevSecOps Pipeline is Sufficiently Secure. (Technical Report CMU/SEI-2023-TR-001). Retrieved December 2, 2024, from https://doi.org/10.1184/R1/22592884.
@techreport{chick_2023,
author={Chick, Timothy A. and Pavetti, Scott and Shevchenko, Nataliya},
title={Using Model-Based Systems Engineering (MBSE) to Assure a DevSecOps Pipeline is Sufficiently Secure},
month={{May},
year={{2023},
number={{CMU/SEI-2023-TR-001},
howpublished={Carnegie Mellon University, Software Engineering Institute's Digital Library},
url={https://doi.org/10.1184/R1/22592884},
note={Accessed: 2024-Dec-2}
}
Chick, Timothy A., Scott Pavetti, and Nataliya Shevchenko. "Using Model-Based Systems Engineering (MBSE) to Assure a DevSecOps Pipeline is Sufficiently Secure." (CMU/SEI-2023-TR-001). Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, May 23, 2023. https://doi.org/10.1184/R1/22592884.
T. Chick, S. Pavetti, and N. Shevchenko, "Using Model-Based Systems Engineering (MBSE) to Assure a DevSecOps Pipeline is Sufficiently Secure," Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, Technical Report CMU/SEI-2023-TR-001, 23-May-2023 [Online]. Available: https://doi.org/10.1184/R1/22592884. [Accessed: 2-Dec-2024].
Chick, Timothy A., Scott Pavetti, and Nataliya Shevchenko. "Using Model-Based Systems Engineering (MBSE) to Assure a DevSecOps Pipeline is Sufficiently Secure." (Technical Report CMU/SEI-2023-TR-001). Carnegie Mellon University, Software Engineering Institute's Digital Library, Software Engineering Institute, 23 May. 2023. https://doi.org/10.1184/R1/22592884. Accessed 2 Dec. 2024.
Chick, Timothy A.; Pavetti, Scott; & Shevchenko, Nataliya. Using Model-Based Systems Engineering (MBSE) to Assure a DevSecOps Pipeline is Sufficiently Secure. CMU/SEI-2023-TR-001. Software Engineering Institute. 2023. https://doi.org/10.1184/R1/22592884