Abstract
Integrating security into agile software development is an open issue for research and practice. Especially in strongly regulated industries, complexity increases not only when scaling agile practices but also when aiming for compliance with security standards. To achieve security compliance in a large-scale agile context, we developed S2C-SAFe: An extension of the Scaled Agile Framework that is compliant to the security standard IEC 62443-4-1 for secure product development.
In this paper, we present the framework and its evaluation by agile and security experts within Siemens’ large-scale project ecosystem. We discuss benefits and limitations as well as challenges from a practitioners’ perspective. Our results indicate that S2C-SAFe contributes to successfully integrating security compliance with lean and agile development in regulated environments. We also hope to raise awareness for the importance and challenges of integrating security in the scope of Continuous Software Engineering.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Ahola, J., et al.: Handbook of the Secure Agile Software Development Life Cycle. University of Oulu, Finland (2014)
Baca, D., Boldt, M., Carlsson, B., Jacobsson, A.: A novel security-enhanced agile software development process applied in an industrial setting. In: Proceedings of the ARES (2015)
Baca, D., Carlsson, B.: Agile development with security engineering activities. In: Proceedings of the ICSSP, pp. 149–158. ACM (2011)
Baca, D.: Developing Secure Software -in an Agile Process - Doctoral Dissertation. Blekinge Institute of Technology (2012)
Bartsch, S.: Practitioners’ perspectives on security in agile development. In: ARES (2011)
Beck, K., et al.: Manifesto for agile software development (2001)
Beckers, K.: Pattern and Security Requirements - Engineering-Based Establishment of Security Standards. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16664-3
Bell, L., Brunton-Spall, M., Smith, R., Bird, J.: Agile Application Security. Enabling Security in a Continuous Delivery Pipeline. O’Reilly, Sebastopol (2017)
Beznosov, K., Kruchten, P.: Towards agile security assurance. In: Proceedings of the NSPW. ACM (2004)
Cawley, O., Wang, X., Richardson, I.: Lean/Agile software development methodologies in regulated environments – state of the art. In: Abrahamsson, P., Oza, N. (eds.) LESS 2010. LNBIP, vol. 65, pp. 31–36. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-16416-3_4
Chóliz, J., Vilas, J., Moreira, J.: Independent security testing on agile software development: a case study in a software company. In: Proceedings of the ARES (2015)
Daennart, S., Moyon, F., Beckers, K.: An assessment model for continuous security compliance in large scale agile environments - exploratory paper. In: CAiSE (2019)
Felderer, M., Pekaric, I.: Research challenges in empowering agile teams with security knowledge based on public and private information sources. In: Proceedings of the SecSe (2017)
Fernández, D.M., Wagner, S.: Naming the pain in requirements engineering: design of a global family of surveys and first results from Germany. In: Proceedings of the 17th International Conference on Evaluation and Assessment in Software Engineering. ACM (2013)
Fernandez, E.B.: Threat modeling in cyber-physical systems. In: Proceedings of the 14th International Conference on Dependable, Autonomic and Secure Computing (2016)
Fitzgerald, B., Stol, K.J.: Continuous software engineering: a roadmap and agenda. J. Syst. Softw. 1–14 (2015)
Fitzgerald, B., Stol, K.J.: Continuous software engineering: a roadmap and agenda. J. Syst. Softw. 123, 176–189 (2017)
Fitzgerald, B., Stol, K.J., O’Sullivan, R., O’Brien, D.: Scaling agile methods to regulated environments: an industry case study. In: Proceedings of the ICSE. IEEE (2013)
Humphreys, E.: How to measure the effectiveness of information security (2017). https://www.iso.org/news/2016/12/Ref2151.html
IEC: 62443-1-1 Security for Industrial and Automation Control Systems Part 1–1 Models and Concepts. International Electrotechnical Commission, USA, 2014 (2014)
IEC: 62443-4-1 security for industrial automation and control systems Part 4–1 product security development life-cycle requirements (2017)
ISO/IEC: 27034 Information technology - Security techniques - Application security (2011)
ISO/IEC: 27001 IT - Security techniques - Information security management systems (2013)
Leffingwell, D., Yakyma, A., Knaster, R., Jemilo, D., Oren, I.: SAFe Reference Guide. Pearson, London (2017)
McGraw, G., Migues, S., Chess, B.: Building security in maturity model. https://www.bsimm.com/about.html
McHugh, M., McCaffery, F., Fitzgerald, B., Stol, K.-J., Casey, V., Coady, G.: Balancing agility and discipline in a medical device software organisation. In: Woronowicz, T., Rout, T., O’Connor, R.V., Dorling, A. (eds.) SPICE 2013. CCIS, vol. 349, pp. 199–210. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38833-0_18
Méndez Fernández, D., et al.: Artefacts in software engineering: what are they after all? ArXiv e-prints (2018)
Moyón, F., Beckers, K., Klepper, S., Lachberger, P., Bruegge, B.: Towards continuous security compliance in agile software development at scale. In: Proceedings of the RCoSE. ACM (2018)
Othmane, L., Jaatun, M., Weippl, E.: Empirical Research for Software Security: Foundations and Experience. CRC (2017)
Shull, F., Singer, J., Sjøberg, D.I.: Guide to Advanced Empirical Software Engineering. Springer, London (2007). https://doi.org/10.1007/978-1-84800-044-5
Siponen, M., Baskerville, R., Kuivalainen, T.: Integrating security into agile development methods. In: Proceedings of the HICSS (2005)
Stephanow, P., Khajehmoogahi, K.: Towards continuous security certification of software-as-a-service applications using web application testing techniques. In: Proceedings of the CAINA (2017)
Technology, S.A.C.: Security by Design with CMMI for Development Version 1.3. CMMI Institute (2013)
Tøndel, I.A., Jaatun, M.G., Cruzes, D.S., Moe, N.B.: Risk centric activities in secure software development in public organisations. IJSSE 8(4), 1–30 (2017)
Turpe, S., Poller, A.: Managing security work in scrum: tensions and challenges. In: Proceedings of the SecSE (2017)
Acknowledgements
To the practitioners that evaluate this work and to M. Voggenreiter and F. Angermeir for their accurate review.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Moyón, F., Méndez, D., Beckers, K., Klepper, S. (2020). How to Integrate Security Compliance Requirements with Agile Software Engineering at Scale?. In: Morisio, M., Torchiano, M., Jedlitschka, A. (eds) Product-Focused Software Process Improvement. PROFES 2020. Lecture Notes in Computer Science(), vol 12562. Springer, Cham. https://doi.org/10.1007/978-3-030-64148-1_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-64148-1_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-64147-4
Online ISBN: 978-3-030-64148-1
eBook Packages: Computer ScienceComputer Science (R0)