Publicação
Large scale agile software development compliant to IEC 62443-4-1: artefact design and tool support
| Resumo: | There has been a considerable increase in the use of agile methodologies over the last years. However, applying these methodologies can be challenging, particularly for industrial control systems that must obey to rigorous operational requirements through regulations and standards, and in particular cybersecurity requirements. The current work proposes a concept for a structured and systematic integration of security activities into a DevOps pipeline, with the ambition of pursuing the capability of both secure agile development and security compliant agile software engineering. The basis for this concept is the integration of the IEC 62443-4-1 (4-1) standard, which describes secure product development in industrial control systems, with a Continuous Integration/Continuous Delivery pipeline specification. To achieve this, the security requirements, as described in the 4-1 standard, were mapped into a simple DevOps pipeline specification. As a result, all of the 4-1 activities were analysed and classified according to the possibility of being automated through tool support. Interviews with expert practitioners, from the fields of security compliance and agile software engineering, were conducted to evaluate the present work. Results have shown evidence about the possibility of providing tool support for the IEC 62443-4-1 standard and to specify a DevOps pipeline compliant to the 4-1 standard. |
|---|---|
| Autores principais: | Soares, Rafael Martins |
| Assunto: | IT security Security standard Continuous security Continuous compliance Industrial security in IT Segurança em TI’s Norma de segurança Segurança contínua Conformidade contínua |
| Ano: | 2019 |
| País: | Portugal |
| Tipo de documento: | dissertação de mestrado |
| Tipo de acesso: | acesso aberto |
| Instituição associada: | ISCTE |
| Idioma: | inglês |
| Origem: | Repositório ISCTE |
| Resumo: | There has been a considerable increase in the use of agile methodologies over the last years. However, applying these methodologies can be challenging, particularly for industrial control systems that must obey to rigorous operational requirements through regulations and standards, and in particular cybersecurity requirements. The current work proposes a concept for a structured and systematic integration of security activities into a DevOps pipeline, with the ambition of pursuing the capability of both secure agile development and security compliant agile software engineering. The basis for this concept is the integration of the IEC 62443-4-1 (4-1) standard, which describes secure product development in industrial control systems, with a Continuous Integration/Continuous Delivery pipeline specification. To achieve this, the security requirements, as described in the 4-1 standard, were mapped into a simple DevOps pipeline specification. As a result, all of the 4-1 activities were analysed and classified according to the possibility of being automated through tool support. Interviews with expert practitioners, from the fields of security compliance and agile software engineering, were conducted to evaluate the present work. Results have shown evidence about the possibility of providing tool support for the IEC 62443-4-1 standard and to specify a DevOps pipeline compliant to the 4-1 standard. |
|---|