Nataliya Shevchenko, Scott Pavetti, Timothy A. Chick
Many enterprises and government programs are concerned that adversaries may abuse weaknesses in a DevSecOps pipeline to inject exploitable vulnerabilities into their products and services. This report presents an approach using model-based systems engineering (MBSE) and the DevSecOps Platform Independent Model (PIM) to evaluate and mitigate the cybersecurity risks associated with a given enterprise’s or government program’s DevSecOps pipeline(s). The analysis approaches this report describes focus on ensuring that the DevSecOps pipeline and its associated products are implemented in a secure, safe, and sustainable way; are sufficiently free from vulnerabilities; and the capabilities only function as intended. Ultimately, the PIM provides analysts with a minimum set of MBSE tools to assist with threat identification, analysis, documentation, and subsequent mitigations.
Year published: 2023