Using Process Models to understand Security Standards

TL;DR

This paper introduces a process model-based tool approach to clarify and interpret complex security standards like IEC 62443-4-1, enhancing understanding and communication among practitioners in industrial software development.

Contribution

It presents a novel process model approach to improve comprehension of security standards, demonstrated through a case study with industry practitioners.

Findings

Improved communication between development and security teams.

Enhanced clarity and understanding of security standards.

Practical applicability in industrial settings.

Abstract

Many industrial software development processes today have to comply with security standards such as the IEC~62443-4-1. These standards, written in natural language, are ambiguous and complex to understand. This is especially true for non-security experts. Security practitioners thus invest much effort into comprehending standards and, later, into introducing them to development teams. However, our experience in the industry shows that development practitioners might very well also read such standards, but nevertheless end up inviting experts for interpretation (or confirmation). Such a scenario is not in tune with current trends and needs of increasing velocity in continuous software engineering. In this paper, we propose a tool-supported approach to make security standards more precise and easier to understand for both non-security as well as security experts by applying process models. This approach emerges from a large industrial company and encompasses so far the IEC62443-4-1 standard. We further present a case study with 16 industry practitioners showing how the approach improves communication between development and security compliance practitioners.