Abstract
Many industrial software development processes today have to comply with security standards such as the IEC 62443-4-1. These standards, written in natural language, are ambiguous and complex to understand. This is especially true for non-security experts. Security practitioners thus invest much effort into comprehending standards and, later, into introducing them to development teams. However, our experience in the industry shows that development practitioners might very well also read such standards, but nevertheless end up inviting experts for interpretation (or confirmation). Such a scenario is not in tune with current trends and needs of increasing velocity in continuous software engineering. In this paper, we propose a tool-supported approach to make security standards more precise and easier to understand for both non-security as well as security experts by applying process models. This approach emerges from a large industrial company and encompasses so far the IEC 62443-4–1 standard. We further present a case study with 16 industry practitioners showing how the approach improves communication between development and security compliance practitioners.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
AG, S.: Aris - software ag. https://www.ariscommunity.com/
Ahola, J., et al.: Handbook of the Secure Agile Software Development Life Cycle. University of Oulu, Finland (2014)
Al-Hamdani, W.A.: Three models to measure information security compliance. IJISP 3(4), 43–67 (2009)
Beckers, K.: Pattern and Security Requirements. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16664-3
Bell, L., Brunton-Spall, M., Smith, R., Bird, J.: Agile Application Security. Enabling Security in a Continuous Delivery Pipeline. O’Reilly, Sebastopol (2017)
Dännart, S., Constante, F.M., Beckers, K.: An assessment model for continuous security compliance in large scale agile environments. In: Giorgini, P., Weber, B. (eds.) CAiSE 2019. LNCS, vol. 11483, pp. 529–544. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-21290-2_33
Fernandez, E.B.: Threat modeling in cyber-physical systems. In: Proceedings (DASC/PiCom/DataCom/CyberSciTech) (2016)
Fitzgerald, B., Stol, K.J., O’Sullivan, R., O’Brien, D.: Scaling agile methods to regulated environments: an industry case study. In: Proceedings of ICSE, IEEE (2013)
Hu, J.: Idea to derive security policies from collaborative business processes. In: 2009 13th Enterprise Distributed Object Computing Conference Workshops, pp. 243–246 (September 2009)
IEC: 62443-4-1 security for industrial automation and control systems part 4–1 product security development life-cycle requirements (2018)
ISO/IEC: 27034. Information technology - Security techniques - Application security (2011)
Keramati, H., Mirian-Hosseinabadi, S.H.: Integrating software development security activities with agile methodologies. In: AICCSA (2008)
Leitner, M., Miller, M., Rinderle-Ma, S.: An analysis and evaluation of security aspects in the business process model and notation. In: 2013 International Conference on Availability, Reliability and Security, pp. 262–267 (September 2013)
Maidl, M., Kröselberg, D., Christ, J., Beckers, K.: A comprehensive framework for security in engineering projects - based on IEC 62443. In: 2018 IEEE ISSRE Workshops (2018)
McGraw, G., Migues, S., Chess, B.: Building security in maturity model, https://www.bsimm.com/about.html
Moyón, F., Beckers, K., Klepper, S., Lachberger, P., Bruegge, B.: Towards continuous security compliance in agile software development at scale. In: Proceedings of RCoSE, ACM (2018)
Moyón, F.: Towards continuous security. In: Master’s Thesis: Department of Informatics. Technical University Munich (2018)
Moyón, F., Bayr, C., Mendez, D., Dännart, S., Beckers, K.: A light-weight tool for the self-assessment of security compliance in software development – an industry case. In: Chatzigeorgiou, A. (ed.) SOFSEM 2020. LNCS, vol. 12011, pp. 403–416. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-38919-2_33
Othmane, L., Jaatun, M., Weippl, E.: Empirical Research for Software Security: Foundations and Experience. CRC Press, Boca Raton (2017)
Ploetz, Zeller: Symbio. https://www.symbioworld.com/
Riesner, M., Pernul, G.: Supporting compliance through enhancing internal control systems by conceptual business process security modeling. In: ACIS Proceedings (2010)
Scaled Agile Inc.: Safe reference guide. http://www.scaledagileframework.com/ (2017)
Shostack, A.: Threat Modeling: Designing for Security. Wiley, Hoboken (2014)
Shull, F., Singer, J., Sjøberg, D.I.: Guide to Advanced Empirical Software Engineering. Springer, New York (2007)
Sunkle, S., Kholkar, D., Kulkarni, V.: Model-driven regulatory compliance: A case study of "know your customer" regulations. In: 18th ACM/IEEE MODELS, pp. 436–445 (September 2015)
Technology, S.A.C.: Security by Design with CMMI for Development Version 1.3. CMMI Institute (2013)
Tøndel, I.A., Jaatun, M.G., Cruzes, D.S., Moe, N.B.: Risk centric activities in secure software development in public organisations. IJSSE 8(4), 1–30 (2017)
Turpe, S., Poller, A.: Managing security work in scrum: tensions and challenges. In: Proceedings of SecSE (2017)
White, S., Miers, D.: BPMN Modeling and Reference Guide. Future Strategies, USA (2008)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Moyón, F., Méndez, D., Beckers, K., Klepper, S. (2021). Using Process Models to Understand Security Standards. In: Bureš, T., et al. SOFSEM 2021: Theory and Practice of Computer Science. SOFSEM 2021. Lecture Notes in Computer Science(), vol 12607. Springer, Cham. https://doi.org/10.1007/978-3-030-67731-2_34
Download citation
DOI: https://doi.org/10.1007/978-3-030-67731-2_34
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-67730-5
Online ISBN: 978-3-030-67731-2
eBook Packages: Computer ScienceComputer Science (R0)