How to Integrate Security Compliance Requirements with Agile Software Engineering at Scale?

TL;DR

This paper presents S2C-SAFe, an extension of the Scaled Agile Framework designed to ensure security compliance with IEC 62443-4-1 in large-scale agile projects, evaluated within Siemens.

Contribution

It introduces S2C-SAFe, a novel framework that integrates security standards into scaled agile practices, addressing compliance challenges in regulated industries.

Findings

S2C-SAFe helps integrate security compliance in large-scale agile development.

Evaluation shows positive benefits from practitioners' perspectives.

Framework highlights challenges and benefits of security integration in agile environments.

Abstract

Integrating security into agile software development is an open issue for research and practice. Especially in strongly regulated industries, complexity increases not only when scaling agile practices but also when aiming for compliance with security standards. To achieve security compliance in a large-scale agile context, we developed S2C-SAFe: An extension of the Scaled Agile Framework that is compliant to the security standard IEC~62443-4-1 for secure product development. In this paper, we present the framework and its evaluation by agile and security experts within Siemens' large-scale project ecosystem. We discuss benefits and limitations as well as challenges from a practitioners' perspective. Our results indicate that \ssafe contributes to successfully integrating security compliance with lean and agile development in regulated environments. We also hope to raise awareness for the importance and challenges of integrating security in the scope of Continuous Software Engineering.