An Assessment Model for Continuous Security Compliance in Large Scale Agile Environments

Exploratory Paper
  • Sebastian DännartEmail author
  • Fabiola Moyón Constante
  • Kristian Beckers
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11483)


Compliance to security-standards for engineering secure software and hardware products is essential to gain and keep customers trust. In particular, industrial control systems (ICS) have a significant need for secure development activities. The standard IEC 62443-4-1 (4-1) is a novel norm that describes activities required to engineer secure products. However, assessing if the norm is still fulfilled in continuous agile software engineering environments is difficult. It often remains unclear how the agile and the secure development process have to intertwine. This is even more problematic when changes on the basis of assessment results of 4-1 or other secure development activities have to be applied. We contribute a novel assessment model that contains a baseline process for secure agile software engineering compliant to 4-1. Our assessment results show precisely where in the development process activities or artifacts have to be applied. Moreover, it contains a refinement into goals and metrics that allow the evaluator to present the evaluate with a precise ’shopping list’ of where to invest to achieve compliance. Afterwards, management can include precise compliance expenditure estimates in their business models.


IT security Agile development Compliance assessment Security standard 


  1. 1.
    Ahola, J., et al.: Handbook of the Secure Agile Software Development Life Cycle. University of Oulu, Finland (2014)Google Scholar
  2. 2.
    CMMI Product Team: CMMI for Development, version 1.2 (2006)Google Scholar
  3. 3.
    Fitzgerald, B., Stol, K.J.: Continuous software engineering: a roadmap and agenda. J. Syst. Softw. 123, 176–189 (2017)CrossRefGoogle Scholar
  4. 4.
    Herrmann, P., Herrmann, G.: Security requirement analysis of business processes. Electron. Commer. Res. 6(3), 305–335 (2006)CrossRefGoogle Scholar
  5. 5.
    IEC: 62443-4-1 Security for industrial automation and control systems Part 4–1 Secure product development life-cycle requirements. IEC (2016)Google Scholar
  6. 6.
    Isaca, P.A.M.: Using COBIT 5. ISACA, Rolling Meadows (2013)Google Scholar
  7. 7.
    Jaquith, A.: Security Metrics: Replacing Fear, Uncertainty, and Doubt. Pearson Education, London (2007)Google Scholar
  8. 8.
    Kupiainen, E., Mäntylä, M.V., Itkonen, J.: Using metrics in agile and lean software development - a systematic literature review of industrial studies. Inf. Softw. Technol. 62, 143–163 (2015)CrossRefGoogle Scholar
  9. 9.
    van Lamsweerde, A., Letier, E.: Handling obstacles in goal-oriented requirements engineering. IEEE Trans. Softw. Eng. 26(10), 978–1005 (2000)CrossRefGoogle Scholar
  10. 10.
    Leffingwell, D., Yakyma, A., Jemilo, D., Oren, I.: SAFe Reference Guide. Pearson, London (2017). (2017 edn.)Google Scholar
  11. 11.
    Li, T., Horkoff, J.: Dealing with security requirements for socio-technical systems: a holistic approach. In: Jarke, M., et al. (eds.) CAiSE 2014. LNCS, vol. 8484, pp. 285–300. Springer, Cham (2014). Scholar
  12. 12.
    Liu, L., Yu, E., Mylopoulos, J.: Security and privacy requirements analysis within a social setting. In: Proceedings of the 11th IEEE International Conference on Requirements Engineering, RE 2003, Washington, DC, USA, pp. 151. IEEE Computer Society (2003)Google Scholar
  13. 13.
    Mouratidis, H., Giorgini, P.: Secure Tropos: a security-oriented extension of the Tropos methodology. J. Auton. Agents Multi-Agent Syst. (2005)Google Scholar
  14. 14.
    Moyon, F., Beckers, K., Klepper, S., Lachberger, P., Bruegge, B.: Towards continuous security compliance in agile software development at scale. In: Proceedings of RCoSE. ACM (2018)Google Scholar
  15. 15.
    Pino, F.J., Baldassarre, M.T., Piattini, M., Visaggio, G.: Harmonizing maturity levels from CMMI-DEV and ISO/IEC 15504. J. Softw. Maintenance Evol.: Res. Pract. 22(4), 279–296 (2010)Google Scholar
  16. 16.
    Scaled Agile Inc.: Safe reference guide (2017).
  17. 17.
    Shull, F., Singer, J., Sjøberg, D.I.: Guide to Advanced Empirical Software Engineering. Springer, London (2007). Scholar
  18. 18.
    TechBeacon: Survey: is agile the new norm? (2017).
  19. 19.
    Turpe, S., Poller, A.: Managing security work in scrum: tensions and challenges. In: Proceedings of SecSE (2017)Google Scholar
  20. 20.
    Wohlin, C., Runeson, P., Höst, M., Ohlsson, M.C., Regnell, B., Wesslén, A.: Experimentation in Software Engineering. Springer, Berlin (2012). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Sebastian Dännart
    • 1
    • 2
    Email author
  • Fabiola Moyón Constante
    • 2
  • Kristian Beckers
    • 2
  1. 1.Infodas GmbHCologneGermany
  2. 2.Siemens Corporate TechnologyMunichGermany

Personalised recommendations