Using Process Models to understand Security Standards
This addresses the challenge for industrial software development teams and security experts in complying with security standards efficiently, though it is incremental as it builds on existing process modeling techniques.
The paper tackles the problem of ambiguous and complex security standards like IEC 62443-4-1, which hinder understanding and compliance in software development, by proposing a tool-supported approach using process models to make these standards more precise and easier to understand, as demonstrated in a case study with 16 industry practitioners that improved communication between development and security compliance teams.
Many industrial software development processes today have to comply with security standards such as the IEC~62443-4-1. These standards, written in natural language, are ambiguous and complex to understand. This is especially true for non-security experts. Security practitioners thus invest much effort into comprehending standards and, later, into introducing them to development teams. However, our experience in the industry shows that development practitioners might very well also read such standards, but nevertheless end up inviting experts for interpretation (or confirmation). Such a scenario is not in tune with current trends and needs of increasing velocity in continuous software engineering. In this paper, we propose a tool-supported approach to make security standards more precise and easier to understand for both non-security as well as security experts by applying process models. This approach emerges from a large industrial company and encompasses so far the IEC62443-4-1 standard. We further present a case study with 16 industry practitioners showing how the approach improves communication between development and security compliance practitioners.