ISO/SAE 21434 [1] Final International Standard was released September 2021 to great fanfare and is the most prominent standard in Automotive Cybersecurity. As members of the Joint Working Group (JWG) the authors spent 5 years developing the 84 pages of precise wording acceptable to hundreds of contributors. At the same time the auto industry had been undergoing a metamorphosis probably unmatched in its hundred-year history. A centerpiece of the metamorphosis is the adoption of the Agile development method to meet market demands for time-to-market and flexibility of design. Unfortunately, a strategic decision was made by the JWG to focus ISO/SAE 21434 on the V-Model method.
Agile does not break ISO/SAE 21434. Agile is a framework that can be adapted to suit any process. In the end the goals are the same regardless of development method; security by design must be achieved. This paper will outline the work products of ISO/SAE 21434 and discuss how the work products required by the standard can be achieved using Agile. The application to Agile may require interpreting the standard from another angle, which could involve reordering the sequence of activities and work products, breaking down the acceptable criteria of some work products to allow rapid iterations, and verifications of meta data or intermediate work products. In cybersecurity engineering, Agile has its unique strength compared to the V-model method, as its cyclical nature is better aligned with best practices for Cybersecurity Frameworks.