Using Process Models to understand Security Standards

05/27/2021
by   Fabiola Moyón, et al.
0

Many industrial software development processes today have to comply with security standards such as the IEC 62443-4-1. These standards, written in natural language, are ambiguous and complex to understand. This is especially true for non-security experts. Security practitioners thus invest much effort into comprehending standards and, later, into introducing them to development teams. However, our experience in the industry shows that development practitioners might very well also read such standards, but nevertheless end up inviting experts for interpretation (or confirmation). Such a scenario is not in tune with current trends and needs of increasing velocity in continuous software engineering. In this paper, we propose a tool-supported approach to make security standards more precise and easier to understand for both non-security as well as security experts by applying process models. This approach emerges from a large industrial company and encompasses so far the IEC62443-4-1 standard. We further present a case study with 16 industry practitioners showing how the approach improves communication between development and security compliance practitioners.

READ FULL TEXT

page 1

page 2

page 3

page 4

05/27/2021

Integration of Security Standards in DevOps Pipelines: An Industry Case Study

In the last decade, companies adopted DevOps as a fast path to deliver s...
04/19/2022

Using a Semantic Knowledge Base to Improve the Management of Security Reports in Industrial DevOps Projects

Integrating security activities into the software development lifecycle ...
05/28/2021

A Study about the Knowledge and Use of Requirements Engineering Standards in Industry

Context: The use of standards is considered a vital part of any engineer...
03/02/2021

Compliance Requirements in Large-Scale Software Development: An Industrial Case Study

Regulatory compliance is a well-studied area, including research on how ...
05/23/2019

Design Dimensions for Software Certification: A Grounded Analysis

In many domains, software systems cannot be deployed until authorities j...
01/17/2019

An Empirical Survey on Co-simulation: Promising Standards, Challenges and Research Needs

Co-simulation is a promising approach for the modelling and simulation o...
01/25/2021

A Process to Facilitate Automated Automotive Cybersecurity Testing

Modern vehicles become increasingly digitalized with advanced informatio...