Abstract
Compliance to security-standards for engineering secure software and hardware products is essential to gain and keep customers trust. In particular, industrial control systems (ICS) have a significant need for secure development activities. The standard IEC 62443-4-1 (4-1) is a novel norm that describes activities required to engineer secure products. However, assessing if the norm is still fulfilled in continuous agile software engineering environments is difficult. It often remains unclear how the agile and the secure development process have to intertwine. This is even more problematic when changes on the basis of assessment results of 4-1 or other secure development activities have to be applied. We contribute a novel assessment model that contains a baseline process for secure agile software engineering compliant to 4-1. Our assessment results show precisely where in the development process activities or artifacts have to be applied. Moreover, it contains a refinement into goals and metrics that allow the evaluator to present the evaluate with a precise ’shopping list’ of where to invest to achieve compliance. Afterwards, management can include precise compliance expenditure estimates in their business models.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
For the complete interview questionnaire visit https://sites.google.com/view/s2c-am-evaluation.
References
Ahola, J., et al.: Handbook of the Secure Agile Software Development Life Cycle. University of Oulu, Finland (2014)
CMMI Product Team: CMMI for Development, version 1.2 (2006)
Fitzgerald, B., Stol, K.J.: Continuous software engineering: a roadmap and agenda. J. Syst. Softw. 123, 176–189 (2017)
Herrmann, P., Herrmann, G.: Security requirement analysis of business processes. Electron. Commer. Res. 6(3), 305–335 (2006)
IEC: 62443-4-1 Security for industrial automation and control systems Part 4–1 Secure product development life-cycle requirements. IEC (2016)
Isaca, P.A.M.: Using COBIT 5. ISACA, Rolling Meadows (2013)
Jaquith, A.: Security Metrics: Replacing Fear, Uncertainty, and Doubt. Pearson Education, London (2007)
Kupiainen, E., Mäntylä, M.V., Itkonen, J.: Using metrics in agile and lean software development - a systematic literature review of industrial studies. Inf. Softw. Technol. 62, 143–163 (2015)
van Lamsweerde, A., Letier, E.: Handling obstacles in goal-oriented requirements engineering. IEEE Trans. Softw. Eng. 26(10), 978–1005 (2000)
Leffingwell, D., Yakyma, A., Jemilo, D., Oren, I.: SAFe Reference Guide. Pearson, London (2017). (2017 edn.)
Li, T., Horkoff, J.: Dealing with security requirements for socio-technical systems: a holistic approach. In: Jarke, M., et al. (eds.) CAiSE 2014. LNCS, vol. 8484, pp. 285–300. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-07881-6_20
Liu, L., Yu, E., Mylopoulos, J.: Security and privacy requirements analysis within a social setting. In: Proceedings of the 11th IEEE International Conference on Requirements Engineering, RE 2003, Washington, DC, USA, pp. 151. IEEE Computer Society (2003)
Mouratidis, H., Giorgini, P.: Secure Tropos: a security-oriented extension of the Tropos methodology. J. Auton. Agents Multi-Agent Syst. (2005)
Moyon, F., Beckers, K., Klepper, S., Lachberger, P., Bruegge, B.: Towards continuous security compliance in agile software development at scale. In: Proceedings of RCoSE. ACM (2018)
Pino, F.J., Baldassarre, M.T., Piattini, M., Visaggio, G.: Harmonizing maturity levels from CMMI-DEV and ISO/IEC 15504. J. Softw. Maintenance Evol.: Res. Pract. 22(4), 279–296 (2010)
Scaled Agile Inc.: Safe reference guide (2017). http://www.scaledagileframework.com/
Shull, F., Singer, J., Sjøberg, D.I.: Guide to Advanced Empirical Software Engineering. Springer, London (2007). https://doi.org/10.1007/978-1-84800-044-5
TechBeacon: Survey: is agile the new norm? (2017). https://techbeacon.com/survey-agile-new-norm
Turpe, S., Poller, A.: Managing security work in scrum: tensions and challenges. In: Proceedings of SecSE (2017)
Wohlin, C., Runeson, P., Höst, M., Ohlsson, M.C., Regnell, B., Wesslén, A.: Experimentation in Software Engineering. Springer, Berlin (2012). https://doi.org/10.1007/978-3-642-29044-2
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Dännart, S., Constante, F.M., Beckers, K. (2019). An Assessment Model for Continuous Security Compliance in Large Scale Agile Environments. In: Giorgini, P., Weber, B. (eds) Advanced Information Systems Engineering. CAiSE 2019. Lecture Notes in Computer Science(), vol 11483. Springer, Cham. https://doi.org/10.1007/978-3-030-21290-2_33
Download citation
DOI: https://doi.org/10.1007/978-3-030-21290-2_33
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-21289-6
Online ISBN: 978-3-030-21290-2
eBook Packages: Computer ScienceComputer Science (R0)