ACSC

The project ACSC (Automated Continuous Security Compliance) operates in the stress field between continuous software development and the compliance of software intensive-products to security-relevant requirements. We explore challenges and opportunities of automated security compliance activities, design and implement solutions, and we evaluate them in an industrial context.

Project description

Nowadays, almost every software-intensive system must comply with requirement from security-relevant regulations and standards, such as ISO 27001 or IEC 6243. Manual compliance analyses with such requirements is resource-intensive and error-prone, and it hinders the adoption of continuous software development methods like agile.

The inherent challenges between continuous software development and reproducibly complying with security requirements is one key challenge in large-scale industrial software development. Automating security compliance activities, where possible and appropriate, therefore offers a way to ensure strong long-term competitiveness in the market.

Research contribution

fortiss analyzes the challenges in automated security compliance activities in practice. Considering the relevance of the challenges and the automation potential they bare, fortiss designs and integrates solutions in ongoing project with relevant security requirements. Thus, the limitations of automation are explored, and specific solutions are developed and tested in practice to ensure their usefulness.

Funding

Siemens AG

Project duration

01.09.2023 - 31.08.2026

Your contact

Florian Angermeir

+49 89 3603522 279
angermeir@fortiss.org

Project partner

Publications

2024 Automated Security Findings Management: A Case Study in Industrial DevOps Markus Voggenreiter, Florian Angermeir, Fabiola Moyón, Ulrich Schöpp and Pierre-Louis Bonvin In 46th International Conference on Software Engineering: Software Engineering in Practice, ACM. Details DOI BIB
2024 Industrial Challenges in Secure Continuous Development Fabiola Moyón, Florian Angermeir and Daniel Mendez In 46th International Conference on Software Engineering: Software Engineering in Practice, ACM. Details DOI BIB

Name	Purpose	Lifetime	Type	Provider
_pk_id	Used to store a few details about the user such as the unique visitor ID.	13 months	HTML	Matomo
_pk_ref	Used to store the attribution information, the referrer initially used to visit the website.	6 months	HTML	Matomo
_pk_ses	Short lived cookie used to temporarily store data for the visit.	30 minutes	HTML	Matomo
_pk_cvar	Short lived cookie used to temporarily store data for the visit.	30 minutes	HTML	Matomo
_pk_hsr	Short lived cookie used to temporarily store data for the visit.	30 minutes	HTML	Matomo