A Light-Weight Tool for the Self-assessment of Security Compliance in Software Development – An Industry Case

  • Fabiola MoyónEmail author
  • Christoph Bayr
  • Daniel Mendez
  • Sebastian Dännart
  • Kristian Beckers
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12011)


Companies are often challenged to modify and improve their software development processes in order to make them compliant with security standards. The complexity of these processes renders it difficult for practitioners to validate and foresee the effort required for compliance assessments. Further, performing gap analyses when processes are not yet mature enough is costly and involving auditors in early stages is, in our experience, often inefficient. An easier and more productive approach is conducting a self-assessment. However, practitioners, in particular developers, quality engineers, and product owners face difficulties to identify security-relevant process artifacts as required by standards. They would benefit from a proper and light-weight tool to perform early compliance assessments of their processes w.r.t. security standards before entering an in-depth audit. In this paper, we report on our current effort at Siemens Corporate Technology to develop such a light-weight assessment tool to assess the security compliance of software development processes with the IEC 62443-4-1 standard, and we discuss first results from an interview-based evaluation.


Security standards Secure software engineering Security assessment Secure development process Tool-support 


  1. 1.
  2. 2.
    Basili, V., Caldiera, G., Rombach, H.: The goal question metric approach. Encycl. Softw. Eng. 528–532 (1994) Google Scholar
  3. 3.
    Basili, V., Weiss, D.: A methodology for collecting valid software engineering data. IEEE Trans. Softw. Eng. SE–10(6), 728–738 (1984)CrossRefGoogle Scholar
  4. 4.
    Beckers, K.: Pattern and Security Requirements: Engineering-Based Establishment of Security Standards. Springer, Cham (2015). Scholar
  5. 5.
    Böhme, R., Freiling, F.C.: On metrics and measurements. In: Eusgeld, I., Freiling, F.C., Reussner, R. (eds.) Dependability Metrics. LNCS, vol. 4909, pp. 7–13. Springer, Heidelberg (2008). Scholar
  6. 6.
    Chandra, P.: Software assurance maturity model v1.5 (2017)Google Scholar
  7. 7.
    CMMI Product Team: CMMI for development, version 1.3. Technical report, CMU/SEI-2010-TR-033, Software Engineering Institute, Carnegie Mellon University (2010)Google Scholar
  8. 8.
    Dännart, S., Constante, F.M., Beckers, K.: An assessment model for continuous security compliance in large scale agile environments. In: Giorgini, P., Weber, B. (eds.) CAiSE 2019. LNCS, vol. 11483, pp. 529–544. Springer, Cham (2019). Scholar
  9. 9.
    IEC: 62443-4-1. Security for industrial automation and control systems Part 4–1. Product security development life-cycle requirements (2018)Google Scholar
  10. 10.
    ISACA: Cobit 5 (2012)Google Scholar
  11. 11.
    ISO: The main benefits of ISO standards.
  12. 12.
    ISO/IEC: 27034. Information technology - security techniques - application security (2011)Google Scholar
  13. 13.
    Jaquith, A.: Security Metrics: Replacing Fear, Uncertainty, and Doubt. Pearson Education, London (2007)Google Scholar
  14. 14.
    Leffingwell, D., Yakyma, A., Knaster, R., Jemilo, D., Oren, I.: SAFe reference guide (2017)Google Scholar
  15. 15.
    Maidl, M., Kröselberg, D., Christ, J., Beckers, K.: A comprehensive framework for security in engineering projects based on IEC 62443. In: ISSRE Workshops, USA, 15–18 October 2018 (2018)Google Scholar
  16. 16.
    McGraw, G., Migues, S., Chess, B.: Building security in maturity model.
  17. 17.
    Mello, J.: Cybercrime diary, Q2 2019 who’s hacked (2019).
  18. 18.
    Fernández, D.M., et al.: Artefacts in software engineering: a fundamental positioning. J. Syst. Softw. 18, 2777–2786 (2019)CrossRefGoogle Scholar
  19. 19.
    Fernández, D.M., Passoth, J.: Empirical software engineering: from discipline to interdiscipline. CoRR abs/1805.08302 (2018).
  20. 20.
    Méndez Fernández, D., Wagner, S.: A case study on artefact-based RE improvement in practice. In: Abrahamsson, P., Corral, L., Oivo, M., Russo, B. (eds.) PROFES 2015. LNCS, vol. 9459, pp. 114–130. Springer, Cham (2015). Scholar
  21. 21.
    Microsoft Corporation iSEC Partners: Microsoft SDL: return-on-investment (2009)Google Scholar
  22. 22.
    Moyon, F., Beckers, K., Klepper, S., Lachberger, P., Bruegge, B.: Towards continuous security compliance in agile software development at scale. In: RCoSE. ACM (2018)Google Scholar
  23. 23.
    Ponemon Institute LLC: The true cost of compliance study (2017)Google Scholar
  24. 24.
    PWC: Compliance on the forefront: setting the pace for innovation (2019)Google Scholar
  25. 25.
    Shull, F., Singer, J., Sjøberg, D.I.: Guide to Advanced Empirical Software Engineering. Springer, New York (2007). Scholar
  26. 26.
    Thomson Reuters: Costs of compliance report 2018 (2018)Google Scholar
  27. 27.
    U.S. House of Representatives: The equifax data breach, majority staff report (2018)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.Siemens CT MunichMunichGermany
  2. 2.Technical University of MunichMunichGermany
  3. 3.Blekinge Institute of TechnologyKarlskronaSweden
  4. 4.fortiss GmbHMunichGermany
  5. 5.INFODAS GmbHCologneGermany

Personalised recommendations