Abstract
Companies are often challenged to modify and improve their software development processes in order to make them compliant with security standards. The complexity of these processes renders it difficult for practitioners to validate and foresee the effort required for compliance assessments. Further, performing gap analyses when processes are not yet mature enough is costly and involving auditors in early stages is, in our experience, often inefficient. An easier and more productive approach is conducting a self-assessment. However, practitioners, in particular developers, quality engineers, and product owners face difficulties to identify security-relevant process artifacts as required by standards. They would benefit from a proper and light-weight tool to perform early compliance assessments of their processes w.r.t. security standards before entering an in-depth audit. In this paper, we report on our current effort at Siemens Corporate Technology to develop such a light-weight assessment tool to assess the security compliance of software development processes with the IEC 62443-4-1 standard, and we discuss first results from an interview-based evaluation.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
The tool is implemented as a Microsoft Excel file with embedded Visio models and vba macros.
References
Airbus cybersecurity. https://airbus-cyber-security.com/products-and-services/
Basili, V., Caldiera, G., Rombach, H.: The goal question metric approach. Encycl. Softw. Eng. 528–532 (1994)
Basili, V., Weiss, D.: A methodology for collecting valid software engineering data. IEEE Trans. Softw. Eng. SE–10(6), 728–738 (1984)
Beckers, K.: Pattern and Security Requirements: Engineering-Based Establishment of Security Standards. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16664-3
Böhme, R., Freiling, F.C.: On metrics and measurements. In: Eusgeld, I., Freiling, F.C., Reussner, R. (eds.) Dependability Metrics. LNCS, vol. 4909, pp. 7–13. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68947-8_2
Chandra, P.: Software assurance maturity model v1.5 (2017)
CMMI Product Team: CMMI for development, version 1.3. Technical report, CMU/SEI-2010-TR-033, Software Engineering Institute, Carnegie Mellon University (2010)
Dännart, S., Constante, F.M., Beckers, K.: An assessment model for continuous security compliance in large scale agile environments. In: Giorgini, P., Weber, B. (eds.) CAiSE 2019. LNCS, vol. 11483, pp. 529–544. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-21290-2_33
IEC: 62443-4-1. Security for industrial automation and control systems Part 4–1. Product security development life-cycle requirements (2018)
ISACA: Cobit 5 (2012)
ISO: The main benefits of ISO standards. www.iso.org/benefits-of-standards
ISO/IEC: 27034. Information technology - security techniques - application security (2011)
Jaquith, A.: Security Metrics: Replacing Fear, Uncertainty, and Doubt. Pearson Education, London (2007)
Leffingwell, D., Yakyma, A., Knaster, R., Jemilo, D., Oren, I.: SAFe reference guide (2017)
Maidl, M., Kröselberg, D., Christ, J., Beckers, K.: A comprehensive framework for security in engineering projects based on IEC 62443. In: ISSRE Workshops, USA, 15–18 October 2018 (2018)
McGraw, G., Migues, S., Chess, B.: Building security in maturity model. www.bsimm.com
Mello, J.: Cybercrime diary, Q2 2019 who’s hacked (2019). cybersecurityventures.com
Fernández, D.M., et al.: Artefacts in software engineering: a fundamental positioning. J. Syst. Softw. 18, 2777–2786 (2019)
Fernández, D.M., Passoth, J.: Empirical software engineering: from discipline to interdiscipline. CoRR abs/1805.08302 (2018). http://arxiv.org/abs/1805.08302
Méndez Fernández, D., Wagner, S.: A case study on artefact-based RE improvement in practice. In: Abrahamsson, P., Corral, L., Oivo, M., Russo, B. (eds.) PROFES 2015. LNCS, vol. 9459, pp. 114–130. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26844-6_9
Microsoft Corporation iSEC Partners: Microsoft SDL: return-on-investment (2009)
Moyon, F., Beckers, K., Klepper, S., Lachberger, P., Bruegge, B.: Towards continuous security compliance in agile software development at scale. In: RCoSE. ACM (2018)
Ponemon Institute LLC: The true cost of compliance study (2017)
PWC: Compliance on the forefront: setting the pace for innovation (2019)
Shull, F., Singer, J., Sjøberg, D.I.: Guide to Advanced Empirical Software Engineering. Springer, New York (2007). https://doi.org/10.1007/978-1-84800-044-5
Thomson Reuters: Costs of compliance report 2018 (2018)
U.S. House of Representatives: The equifax data breach, majority staff report (2018)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Moyón, F., Bayr, C., Mendez, D., Dännart, S., Beckers, K. (2020). A Light-Weight Tool for the Self-assessment of Security Compliance in Software Development – An Industry Case. In: Chatzigeorgiou, A., et al. SOFSEM 2020: Theory and Practice of Computer Science. SOFSEM 2020. Lecture Notes in Computer Science(), vol 12011. Springer, Cham. https://doi.org/10.1007/978-3-030-38919-2_33
Download citation
DOI: https://doi.org/10.1007/978-3-030-38919-2_33
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-38918-5
Online ISBN: 978-3-030-38919-2
eBook Packages: Computer ScienceComputer Science (R0)