search menu icon-carat-right cmu-wordmark

Using Model-Based Systems Engineering (MBSE) to Assure a DevSecOps Pipeline is Sufficiently Secure

May 2023 Technical Report
Timothy A. Chick, Scott Pavetti, Nataliya Shevchenko

This report describes how analysts can use a model-based systems engineering (MBSE) approach to detect and mitigate cybersecurity risks to a DevSecOps pipeline.

Publisher:

Software Engineering Institute

CMU/SEI Report Number

CMU/SEI-2023-TR-001

DOI (Digital Object Identifier):
10.1184/R1/22592884

Abstract

Many enterprises and government programs are concerned that adversaries may abuse weaknesses in a DevSecOps pipeline to inject exploitable vulnerabilities into their products and services. This report presents an approach using model-based systems engineering (MBSE) and the DevSecOps Platform Independent Model (PIM) to evaluate and mitigate the cybersecurity risks associated with a given enterprise’s or government program’s DevSecOps pipeline(s). The analysis approaches this report describes focus on ensuring that the DevSecOps pipeline and its associated products are implemented in a secure, safe, and sustainable way; are sufficiently free from vulnerabilities; and the capabilities only function as intended. Ultimately, the PIM provides analysts with a minimum set of MBSE tools to assist with threat identification, analysis, documentation, and subsequent mitigations.