Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Towards Automated Continuous Security Compliance

Florian Angermeir, Jannik Fischbach, Fabiola Moyón, Daniel Mendez

TL;DR

The paper addresses continuous security compliance (CSC) in regulated domains where manual security and compliance activities are too slow for continuous software engineering. It defines CSC with a precise, agnostic definition aligned to state-of-the-art CSC concepts; provides a tertiary literature study to identify and extend industrial challenges; and presents a long-term research roadmap to address these challenges via automated CSC in an industry–academic collaboration. The roadmap follows a Design Science Methodology with iterative steps for problem framing, treatment design, and validation, and outlines an experimental environment and stakeholder engagement to bridge theory and practice. Overall, the work lays foundational definitions, catalogs challenges, and offers a structured path toward practical automation of CSC.

Abstract

Context: Continuous Software Engineering is increasingly adopted in highly regulated domains, raising the need for continuous compliance. Adherence to especially security regulations -- a major concern in highly regulated domains -- renders Continuous Security Compliance of high relevance to industry and research. Problem: One key barrier to adopting continuous software engineering in the industry is the resource-intensive and error-prone nature of traditional manual security compliance activities. Automation promises to be advantageous. However, continuous security compliance is under-researched, precluding an effective adoption. Contribution: We have initiated a long-term research project with our industry partner to address these issues. In this manuscript, we make three contributions: (1) We provide a precise definition of the term continuous security compliance aligning with the state-of-art, (2) elaborate a preliminary overview of challenges in the field of automated continuous security compliance through a tertiary literature study, and (3) present a research roadmap to address those challenges via automated continuous security compliance.

Towards Automated Continuous Security Compliance

TL;DR

The paper addresses continuous security compliance (CSC) in regulated domains where manual security and compliance activities are too slow for continuous software engineering. It defines CSC with a precise, agnostic definition aligned to state-of-the-art CSC concepts; provides a tertiary literature study to identify and extend industrial challenges; and presents a long-term research roadmap to address these challenges via automated CSC in an industry–academic collaboration. The roadmap follows a Design Science Methodology with iterative steps for problem framing, treatment design, and validation, and outlines an experimental environment and stakeholder engagement to bridge theory and practice. Overall, the work lays foundational definitions, catalogs challenges, and offers a structured path toward practical automation of CSC.

Abstract

Context: Continuous Software Engineering is increasingly adopted in highly regulated domains, raising the need for continuous compliance. Adherence to especially security regulations -- a major concern in highly regulated domains -- renders Continuous Security Compliance of high relevance to industry and research. Problem: One key barrier to adopting continuous software engineering in the industry is the resource-intensive and error-prone nature of traditional manual security compliance activities. Automation promises to be advantageous. However, continuous security compliance is under-researched, precluding an effective adoption. Contribution: We have initiated a long-term research project with our industry partner to address these issues. In this manuscript, we make three contributions: (1) We provide a precise definition of the term continuous security compliance aligning with the state-of-art, (2) elaborate a preliminary overview of challenges in the field of automated continuous security compliance through a tertiary literature study, and (3) present a research roadmap to address those challenges via automated continuous security compliance.
Paper Structure (9 sections, 2 figures, 1 table)

This paper contains 9 sections, 2 figures, 1 table.

Table of Contents

  1. Introduction
  2. State of Research
  3. csc
  4. Challenges in Continuous Security Compliance
  5. Research Roadmap
  6. Research Environment
  7. Research Vision
  8. Threats to Validity
  9. Conclusion

Figures (2)

  • Figure 1: Literature Review Process
  • Figure 2: Summary of the Research Roadmap