Using Process Models to understand Security Standards

by   Fabiola Moyón, et al.

Many industrial software development processes today have to comply with security standards such as the IEC 62443-4-1. These standards, written in natural language, are ambiguous and complex to understand. This is especially true for non-security experts. Security practitioners thus invest much effort into comprehending standards and, later, into introducing them to development teams. However, our experience in the industry shows that development practitioners might very well also read such standards, but nevertheless end up inviting experts for interpretation (or confirmation). Such a scenario is not in tune with current trends and needs of increasing velocity in continuous software engineering. In this paper, we propose a tool-supported approach to make security standards more precise and easier to understand for both non-security as well as security experts by applying process models. This approach emerges from a large industrial company and encompasses so far the IEC62443-4-1 standard. We further present a case study with 16 industry practitioners showing how the approach improves communication between development and security compliance practitioners.


page 1

page 2

page 3

page 4


Integration of Security Standards in DevOps Pipelines: An Industry Case Study

In the last decade, companies adopted DevOps as a fast path to deliver s...

Using a Semantic Knowledge Base to Improve the Management of Security Reports in Industrial DevOps Projects

Integrating security activities into the software development lifecycle ...

A Study about the Knowledge and Use of Requirements Engineering Standards in Industry

Context: The use of standards is considered a vital part of any engineer...

Compliance Requirements in Large-Scale Software Development: An Industrial Case Study

Regulatory compliance is a well-studied area, including research on how ...

Design Dimensions for Software Certification: A Grounded Analysis

In many domains, software systems cannot be deployed until authorities j...

An Empirical Survey on Co-simulation: Promising Standards, Challenges and Research Needs

Co-simulation is a promising approach for the modelling and simulation o...

A Process to Facilitate Automated Automotive Cybersecurity Testing

Modern vehicles become increasingly digitalized with advanced informatio...