Skip to main content
SpringerLink
Log in

Using Process Models to Understand Security Standards

  • Conference paper
  • First Online:
SOFSEM 2021: Theory and Practice of Computer Science (SOFSEM 2021)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 12607))

Abstract

Many industrial software development processes today have to comply with security standards such as the IEC 62443-4-1. These standards, written in natural language, are ambiguous and complex to understand. This is especially true for non-security experts. Security practitioners thus invest much effort into comprehending standards and, later, into introducing them to development teams. However, our experience in the industry shows that development practitioners might very well also read such standards, but nevertheless end up inviting experts for interpretation (or confirmation). Such a scenario is not in tune with current trends and needs of increasing velocity in continuous software engineering. In this paper, we propose a tool-supported approach to make security standards more precise and easier to understand for both non-security as well as security experts by applying process models. This approach emerges from a large industrial company and encompasses so far the IEC 62443-4–1 standard. We further present a case study with 16 industry practitioners showing how the approach improves communication between development and security compliance practitioners.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. AG, S.: Aris - software ag. https://www.ariscommunity.com/

  2. Ahola, J., et al.: Handbook of the Secure Agile Software Development Life Cycle. University of Oulu, Finland (2014)

    Google Scholar 

  3. Al-Hamdani, W.A.: Three models to measure information security compliance. IJISP 3(4), 43–67 (2009)

    Google Scholar 

  4. Beckers, K.: Pattern and Security Requirements. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16664-3

    Book  Google Scholar 

  5. Bell, L., Brunton-Spall, M., Smith, R., Bird, J.: Agile Application Security. Enabling Security in a Continuous Delivery Pipeline. O’Reilly, Sebastopol (2017)

    Google Scholar 

  6. Dännart, S., Constante, F.M., Beckers, K.: An assessment model for continuous security compliance in large scale agile environments. In: Giorgini, P., Weber, B. (eds.) CAiSE 2019. LNCS, vol. 11483, pp. 529–544. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-21290-2_33

    Chapter  Google Scholar 

  7. Fernandez, E.B.: Threat modeling in cyber-physical systems. In: Proceedings (DASC/PiCom/DataCom/CyberSciTech) (2016)

    Google Scholar 

  8. Fitzgerald, B., Stol, K.J., O’Sullivan, R., O’Brien, D.: Scaling agile methods to regulated environments: an industry case study. In: Proceedings of ICSE, IEEE (2013)

    Google Scholar 

  9. Hu, J.: Idea to derive security policies from collaborative business processes. In: 2009 13th Enterprise Distributed Object Computing Conference Workshops, pp. 243–246 (September 2009)

    Google Scholar 

  10. IEC: 62443-4-1 security for industrial automation and control systems part 4–1 product security development life-cycle requirements (2018)

    Google Scholar 

  11. ISO/IEC: 27034. Information technology - Security techniques - Application security (2011)

    Google Scholar 

  12. Keramati, H., Mirian-Hosseinabadi, S.H.: Integrating software development security activities with agile methodologies. In: AICCSA (2008)

    Google Scholar 

  13. Leitner, M., Miller, M., Rinderle-Ma, S.: An analysis and evaluation of security aspects in the business process model and notation. In: 2013 International Conference on Availability, Reliability and Security, pp. 262–267 (September 2013)

    Google Scholar 

  14. Maidl, M., Kröselberg, D., Christ, J., Beckers, K.: A comprehensive framework for security in engineering projects - based on IEC 62443. In: 2018 IEEE ISSRE Workshops (2018)

    Google Scholar 

  15. McGraw, G., Migues, S., Chess, B.: Building security in maturity model, https://www.bsimm.com/about.html

  16. Moyón, F., Beckers, K., Klepper, S., Lachberger, P., Bruegge, B.: Towards continuous security compliance in agile software development at scale. In: Proceedings of RCoSE, ACM (2018)

    Google Scholar 

  17. Moyón, F.: Towards continuous security. In: Master’s Thesis: Department of Informatics. Technical University Munich (2018)

    Google Scholar 

  18. Moyón, F., Bayr, C., Mendez, D., Dännart, S., Beckers, K.: A light-weight tool for the self-assessment of security compliance in software development – an industry case. In: Chatzigeorgiou, A. (ed.) SOFSEM 2020. LNCS, vol. 12011, pp. 403–416. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-38919-2_33

    Chapter  Google Scholar 

  19. Othmane, L., Jaatun, M., Weippl, E.: Empirical Research for Software Security: Foundations and Experience. CRC Press, Boca Raton (2017)

    Book  Google Scholar 

  20. Ploetz, Zeller: Symbio. https://www.symbioworld.com/

  21. Riesner, M., Pernul, G.: Supporting compliance through enhancing internal control systems by conceptual business process security modeling. In: ACIS Proceedings (2010)

    Google Scholar 

  22. Scaled Agile Inc.: Safe reference guide. http://www.scaledagileframework.com/ (2017)

  23. Shostack, A.: Threat Modeling: Designing for Security. Wiley, Hoboken (2014)

    Google Scholar 

  24. Shull, F., Singer, J., Sjøberg, D.I.: Guide to Advanced Empirical Software Engineering. Springer, New York (2007)

    Google Scholar 

  25. Sunkle, S., Kholkar, D., Kulkarni, V.: Model-driven regulatory compliance: A case study of "know your customer" regulations. In: 18th ACM/IEEE MODELS, pp. 436–445 (September 2015)

    Google Scholar 

  26. Technology, S.A.C.: Security by Design with CMMI for Development Version 1.3. CMMI Institute (2013)

    Google Scholar 

  27. Tøndel, I.A., Jaatun, M.G., Cruzes, D.S., Moe, N.B.: Risk centric activities in secure software development in public organisations. IJSSE 8(4), 1–30 (2017)

    Google Scholar 

  28. Turpe, S., Poller, A.: Managing security work in scrum: tensions and challenges. In: Proceedings of SecSE (2017)

    Google Scholar 

  29. White, S., Miers, D.: BPMN Modeling and Reference Guide. Future Strategies, USA (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Siemens Technology, Munich, Germany

    Fabiola Moyón

  2. Blekinge Institute of Technology, Karlskrona, Sweden

    Daniel Méndez

  3. Social Engineering Academy, Munich, Germany

    Kristian Beckers

  4. Technical University Munich TUM, Munich, Germany

    Fabiola Moyón & Sebastian Klepper

  5. fortiss GmbH, Munich, Germany

    Daniel Méndez

Authors
  1. Fabiola Moyón
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Daniel Méndez
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Kristian Beckers
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Sebastian Klepper
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Fabiola Moyón .

Editor information

Editors and Affiliations

  1. Charles University, Prague, Czech Republic

    Tomáš Bureš

  2. University of Bergamo, Bergamo, Italy

    Riccardo Dondi

  3. Free University of Bozen-Bolzano, Bolzano, Italy

    Johann Gamper

  4. University of Genoa, Genoa, Italy

    Giovanna Guerrini

  5. University of Wroclaw, Wroclaw, Poland

    Tomasz Jurdziński

  6. Free University of Bozen-Bolzano, Bolzano, Italy

    Claus Pahl

  7. University Paris Dauphine, Paris, France

    Florian Sikora

  8. University of Liverpool, Liverpool, UK

    Prudence W.H. Wong

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Moyón, F., Méndez, D., Beckers, K., Klepper, S. (2021). Using Process Models to Understand Security Standards. In: Bureš, T., et al. SOFSEM 2021: Theory and Practice of Computer Science. SOFSEM 2021. Lecture Notes in Computer Science(), vol 12607. Springer, Cham. https://doi.org/10.1007/978-3-030-67731-2_34

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-67731-2_34

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-67730-5

  • Online ISBN: 978-3-030-67731-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation