This content is not included in your SAE MOBILUS subscription, or you are not logged in.
Challenges in integrating Cybersecurity into existing development processes
ISSN: 0148-7191, e-ISSN: 2688-3627
To be published on April 14, 2020 by SAE International in United States
For an established development process and a team accustomed to this process, adding security features to the product initially means inconvenience and reduced productivity. Due to the progression towards a modern information society, connectivity is becoming a vital part of more and more systems. Increased connectivity especially of embedded devices and a rise of cyber-attacks lead to more risks which need to be acknowledged during the respective development processes to fulfil customers’ expectations. Dealing with these risks requires adapting development processes to take Cybersecurity into account. This introduces challenges not present in engineering divisions so far and strategies designed to deal with these challenges differ in the way in which added duties are assigned and security topics are integrated into the already existing process steps. Security requirements often clash with existing system requirements or established development methods and their importance is not easily understood. Due to this fact, their acceptance amongst developers can be low, making it even more important to have clear policies how differences between security and other fields are handled. Also, the benefits of adding security features other than fulfilling customer requirements need to be clearly communicated and advertised. It seems natural to orientate oneself by how safety topics are handled in the development process and adjust this to accommodate security. It is, however, not clear in which way these added responsibility should be assigned as conflicts of interest can occur when a single person must take security goals into account which might be clashing with other project goals. Creating a role in the development process dedicated to Cybersecurity leads to conflicts arising between that and other roles. These conflicts then need to be resolved by prioritizing one over the other. A security development approach is frequently perceived as introducing impediments which bears the risk of security measures receiving a low priority to reduce inconvenience. Moreover, this can lead to frustration among security developers when their proposals are not accepted, and they feel their work is not appreciated. Prioritizing security too much on the other hand can lead to feature creep and make the development unnecessarily complicated without producing appropriate results. Ideally, security aspects are considered and integrated into development processes not only to fulfil customer and legal requirements, but also to enable developers of functionalities not directly related to security to produce better and more robust results as shortcuts are no longer easily possible.