Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
144 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Towards Automated Continuous Security Compliance (2407.21494v2)

Published 31 Jul 2024 in cs.SE

Abstract: Context: Continuous Software Engineering is increasingly adopted in highly regulated domains, raising the need for continuous compliance. Adherence to especially security regulations -- a major concern in highly regulated domains -- renders Continuous Security Compliance of high relevance to industry and research. Problem: One key barrier to adopting continuous software engineering in the industry is the resource-intensive and error-prone nature of traditional manual security compliance activities. Automation promises to be advantageous. However, continuous security compliance is under-researched, precluding an effective adoption. Contribution: We have initiated a long-term research project with our industry partner to address these issues. In this manuscript, we make three contributions: (1) We provide a precise definition of the term continuous security compliance aligning with the state-of-art, (2) elaborate a preliminary overview of challenges in the field of automated continuous security compliance through a tertiary literature study, and (3) present a research roadmap to address those challenges via automated continuous security compliance.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (44)
  1. Investigating Continuous Security Compliance Behavior: Insights from Information Systems Continuance Model. In AMCIS ’16. 10 pages.
  2. Exploring Automated GDPR-Compliance in Requirements Engineering: A Systematic Mapping Study. IEEE Access 9 (5 2021), 66542–66559.
  3. Muhammad Zaid Abrahams and Josef J Langerman. 2018. Compliance at Velocity within a DevOps Environment. In ICDIM ’18. 94–101.
  4. Systems, Software and Services Process Improvement. Chapter A Review on the Critical Success Factors of Agile Software Development, 504–512.
  5. Continuous compliance to ensure strong cybersecurity posture within digital transformation in smart cities. In SCS ’22. 464–479.
  6. Towards Automated Continuous Security Compliance. https://doi.org/10.6084/m9.figshare.25199225.v1
  7. Vanessa Ayala-Rivera and Liliana Pasquale. 2018. The Grace Period Has Ended: An Approach to Operationalize GDPR Requirements. In RE’18. 136–146.
  8. Nasreen Azad and Sami Hyrynsalmi. 2023. DevOps critical success factors — A systematic literature review. Information and Software Technology 157 (5 2023), 14 pages.
  9. Jan Bosch (Ed.). 2014. Continuous Software Engineering. Springer.
  10. Compliance checking of software processes: A systematic literature review. Journal of Software: Evolution and Process 34, 5 (5 2022), 36 pages.
  11. Ensuring continuous compliance through reconciling policy with usage. In SACMAT ’13. 49––60.
  12. Tsun Chow and Dac-Buu Cao. 2008. A survey study of critical success factors in agile software projects. Journal of Systems and Software 81, 6 (6 2008), 961–971.
  13. Integration of Security Standards in DevOps Pipelines: An Industry Case Study. In PROFES ’20. 434–452.
  14. An Assessment Model for Continuous Security Compliance in Large Scale Agile Environments. In Advanced Information Systems Engineering. 529–544.
  15. DevOps benefits: A systematic literature review. Software: Practice and Experience 52, 9 (9 2022), 1905–1926.
  16. Brian Fitzgerald and Klaas-Jan Stol. 2014. Continuous Software Engineering and beyond: Trends and Challenges. In RCoSE ’14. 1–9.
  17. Brian Fitzgerald and Klaas-Jan Stol. 2017. Continuous software engineering: A roadmap and agenda. Journal of Systems and Software 123 (1 2017), 176–189.
  18. A combined rule-based and machine learning approach for automated GDPR compliance checking. In ICAIL ’21. 40–49.
  19. Allenoush Hayrapetian and Rajeev Raje. 2018. Empirically Analyzing and Evaluating Security Features in Software Requirements. In ISEC ’18. 1–11.
  20. IBM. 2013. Maintaining continuous compliance—a new best-practice approach. https://docs.media.bitpipe.com/io_11x/io_115656/item_894327/Maintaining%20continuous%20compliance.pdf
  21. International Standards Organization. 2018. Information technology - Security techniques - Information security management systems. ISO Standard 27001.
  22. Continuous Compliance. In ASE ’20. 511–523.
  23. Barbara Kitchenham. 2004. Procedures for Performing Systematic Reviews. Technical Report. Keele, UK and Eveleigh, Australia.
  24. Rakesh Kumar and Rinkaj Goyal. 2020. Modeling continuous security: A conceptual model for automated DevSecOps using open-source software over cloud (ADOC). Computer Security 97, C (10 2020), 28 pages.
  25. GDPR Compliance in the Context of Continuous Integration. (2020). https://doi.org/10.48550/arXiv.2002.06830 arXiv:arXiv:2002.06830v1
  26. Identifying and classifying ambiguity for regulatory requirements. In RE’14. 83–92.
  27. Marco Moscher. 2017. Continuous Compliance Testing. Master’s thesis.
  28. Industrial Challenges in Secure Continuous Development. In ICSE ’24. 3 pages.
  29. Towards continuous security compliance in agile software development at scale. In RCoSE ’18. 31–34.
  30. How to Integrate Security Compliance Requirements with Agile Software Engineering at Scale?. In PROFES ’20. 69–87.
  31. Field study on requirements engineering: Investigation of artefacts, project parameters, and execution strategies. Information and Software Technology 54, 2 (2 2012), 162–178.
  32. The Current State of Security Governance and Compliance in Large-Scale Agile Development: A Systematic Literature Review and Interview Study. In CBI ’23. 1–10.
  33. Literature Review of the Challenges of Developing Secure Software Using the Agile Approach. In ARES ’15. 540–547.
  34. Simon Phipps and Stefano Zacchiroli. 2020. Continuous Open Source License Compliance. Computer 53, 12 (12 2020), 115–119.
  35. Paul Ralph and Sebastian Baltes. 2022. Paving the way for mature secondary research: the seven types of literature review. In ESEC/FSE’22. 5 pages.
  36. Rajesh Rompicharla and Bhaskar Reddy P. V. 2020. Continuous Compliance model for Hybrid Multi-Cloud through Self-Service Orchestrator. In ICSTCEE ’20. 589–593.
  37. Arstanaly Rysbekov. 2022. Continuous Compliance: DevOps Approach to Compliance And Change Management. Master’s thesis.
  38. What is Continuous Compliance? IEEE Software (12 2023), 1–10.
  39. Ali Shahrokni and Patrizio Pelliccione. 2022. Significance of Continuous Compliance in Automotive. In EASE ’22. 272––273.
  40. Towards Data-Driven Continuous Compliance Testing. In SE ’18. 78–84.
  41. Automated Security Findings Management: A Case Study in Industrial DevOps. In ICSE-SEIP ’22. 11 pages.
  42. Markus Voggenreiter and Ulrich Schöpp. 2022. Using a semantic knowledge base to improve the management of security reports in industrial DevOps projects. In ICSE-SEIP ’22. 309–310.
  43. Roel J. Wieringa. 2014. Design Science Methodology for Information Systems and Software Engineering.
  44. Claes Wohlin. 2014. Guidelines for snowballing in systematic literature studies and a replication in software engineering. In EASE ’14. Article 38, 10 pages.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets