An Assessment Model for Continuous Security Compliance in Large Scale Agile Environments Exploratory Paper

• Published in: Advanced Information Systems Engineering pp. 529 - 544
• Main Authors: Dännart, Sebastian, Constante, Fabiola Moyón, Beckers, Kristian
• Format: Book Chapter
• Language: English
• Published: Cham Springer International Publishing 2019
• Series: Lecture Notes in Computer Science
• Subjects: Agile development; Compliance assessment; IT security; Security standard
• ISBN: 9783030212896; 3030212890
• ISSN: 0302-9743; 1611-3349
• DOI: 10.1007/978-3-030-21290-2_33

Compliance to security-standards for engineering secure software and hardware products is essential to gain and keep customers trust. In particular, industrial control systems (ICS) have a significant need for secure development activities. The standard IEC 62443-4-1 (4-1) is a novel norm that describes activities required to engineer secure products. However, assessing if the norm is still fulfilled in continuous agile software engineering environments is difficult. It often remains unclear how the agile and the secure development process have to intertwine. This is even more problematic when changes on the basis of assessment results of 4-1 or other secure development activities have to be applied. We contribute a novel assessment model that contains a baseline process for secure agile software engineering compliant to 4-1. Our assessment results show precisely where in the development process activities or artifacts have to be applied. Moreover, it contains a refinement into goals and metrics that allow the evaluator to present the evaluate with a precise ’shopping list’ of where to invest to achieve compliance. Afterwards, management can include precise compliance expenditure estimates in their business models.