search menu icon-carat-right cmu-wordmark

Using Model-Based Systems Engineering (MBSE) to Assure a DevSecOps Pipeline is Sufficiently Secure

Technical Report
This report describes how analysts can use a model-based systems engineering (MBSE) approach to detect and mitigate cybersecurity risks to a DevSecOps pipeline.
Publisher

Software Engineering Institute

CMU/SEI Report Number
CMU/SEI-2023-TR-001
DOI (Digital Object Identifier)
10.1184/R1/22592884

Abstract

Many enterprises and government programs are concerned that adversaries may abuse weaknesses in a DevSecOps pipeline to inject exploitable vulnerabilities into their products and services. This report presents an approach using model-based systems engineering (MBSE) and the DevSecOps Platform Independent Model (PIM) to evaluate and mitigate the cybersecurity risks associated with a given enterprise’s or government program’s DevSecOps pipeline(s). The analysis approaches this report describes focus on ensuring that the DevSecOps pipeline and its associated products are implemented in a secure, safe, and sustainable way; are sufficiently free from vulnerabilities; and the capabilities only function as intended. Ultimately, the PIM provides analysts with a minimum set of MBSE tools to assist with threat identification, analysis, documentation, and subsequent mitigations.

Cite This Technical Report

Chick, T., Pavetti, S., & Shevchenko, N. (2023, May 23). Using Model-Based Systems Engineering (MBSE) to Assure a DevSecOps Pipeline is Sufficiently Secure. (Technical Report CMU/SEI-2023-TR-001). Retrieved July 13, 2024, from https://doi.org/10.1184/R1/22592884.

@techreport{chick_2023,
author={Chick, Timothy A. and Pavetti, Scott and Shevchenko, Nataliya},
title={Using Model-Based Systems Engineering (MBSE) to Assure a DevSecOps Pipeline is Sufficiently Secure},
month={May},
year={2023},
number={CMU/SEI-2023-TR-001},
howpublished={Carnegie Mellon University, Software Engineering Institute's Digital Library},
url={https://doi.org/10.1184/R1/22592884},
note={Accessed: 2024-Jul-13}
}

Chick, Timothy A., Scott Pavetti, and Nataliya Shevchenko. "Using Model-Based Systems Engineering (MBSE) to Assure a DevSecOps Pipeline is Sufficiently Secure." (CMU/SEI-2023-TR-001). Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, May 23, 2023. https://doi.org/10.1184/R1/22592884.

T. Chick, S. Pavetti, and N. Shevchenko, "Using Model-Based Systems Engineering (MBSE) to Assure a DevSecOps Pipeline is Sufficiently Secure," Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, Technical Report CMU/SEI-2023-TR-001, 23-May-2023 [Online]. Available: https://doi.org/10.1184/R1/22592884. [Accessed: 13-Jul-2024].

Chick, Timothy A., Scott Pavetti, and Nataliya Shevchenko. "Using Model-Based Systems Engineering (MBSE) to Assure a DevSecOps Pipeline is Sufficiently Secure." (Technical Report CMU/SEI-2023-TR-001). Carnegie Mellon University, Software Engineering Institute's Digital Library, Software Engineering Institute, 23 May. 2023. https://doi.org/10.1184/R1/22592884. Accessed 13 Jul. 2024.

Chick, Timothy A.; Pavetti, Scott; & Shevchenko, Nataliya. Using Model-Based Systems Engineering (MBSE) to Assure a DevSecOps Pipeline is Sufficiently Secure. CMU/SEI-2023-TR-001. Software Engineering Institute. 2023. https://doi.org/10.1184/R1/22592884