How to Integrate Security Compliance Requirements with Agile Software Engineering at Scale?
This addresses the challenge of scaling security compliance in agile practices for regulated industries like those at Siemens, though it appears incremental as it extends an existing framework.
The paper tackles the problem of integrating security compliance into large-scale agile software development in regulated industries by developing S2C-SAFe, an extension of the Scaled Agile Framework compliant with IEC 62443-4-1, and finds that it contributes to successful integration in such environments.
Integrating security into agile software development is an open issue for research and practice. Especially in strongly regulated industries, complexity increases not only when scaling agile practices but also when aiming for compliance with security standards. To achieve security compliance in a large-scale agile context, we developed S2C-SAFe: An extension of the Scaled Agile Framework that is compliant to the security standard IEC~62443-4-1 for secure product development. In this paper, we present the framework and its evaluation by agile and security experts within Siemens' large-scale project ecosystem. We discuss benefits and limitations as well as challenges from a practitioners' perspective. Our results indicate that \ssafe contributes to successfully integrating security compliance with lean and agile development in regulated environments. We also hope to raise awareness for the importance and challenges of integrating security in the scope of Continuous Software Engineering.