Applicability of IEC 62443-4-1 based secure development lifecycle (SDL) to cloud applications
Lepola, Joona (2021)
2021
Tietotekniikan DI-ohjelma - Master's Programme in Information Technology
Informaatioteknologian ja viestinnän tiedekunta - Faculty of Information Technology and Communication Sciences
This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Hyväksymispäivämäärä
2021-12-01
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:tuni-202111298779
https://urn.fi/URN:NBN:fi:tuni-202111298779
Tiivistelmä
Secure Development Lifecycle (SDL) is a great way to increase the security of product during its lifetime. This work researches how well the industrial automation SDL, defined by IEC 62443-4-1, fits for applications developed for cloud environment. IEC 62443-4-1 based SDL is widely used in industrial companies and the use of it could be spread to the cloud development, after which companies could use the existing tools and policies. This would make transition to cloudbased development a bit easier.
The work is divided into four parts. The literature review chapter presents previous similar studies on the compatibility of IEC 62443-4-1 and the cloud environment, studies on the compatibility of IEC 62443-4-1 and agile methodologies, as well as mapping work related to the security of a secure cloud application. It was found in the work that there are no previous studies between IEC 62443-4-1 and the cloud environment, since most only mention one of them, whilst the focus of the work itself is only on another topic. One study about agility was found and used for this work. The literature review also found one good work related to a safe cloud environment that will be used as references in later chapters. The suitability is then mapped using an example project. The example project is an application running in a cloud environment to which IEC 62443-4-1 based SDL is applied. The work firstly presents the project in detail and compares it against the Cloud Security Alliance Security Guidance v4.0 book and previous studies on the cloud security. The security features and deficiencies found will be utilized in later stages. After the presentation of the project, all the processes required by the IEC 62443-4-1 SDL are reviewed one by one and justified how they apply to the example project. Finally, the work analyses how well the existing processes of SDL adapt to the project and how well the security features and deficiencies found, have been considered in SDL, and suggests possible additional processes.
When SDL processes are adapted to the example project, it is noticed that most of them are suitable directly to the project and total of four processes are left unselected. The analysis phase shows that the non-selected processes are suitable for the cloud environment and were not selected for the project because it lacked certain features required by these processes. Thus, the analysis shows that all the processes are suitable for the cloud environment, but the work still highlights 21 processes where it is good to keep certain things in mind when applying them to the cloud environment. For example, agile development methods are often involved in cloud development, which requires a different approach to a few processes. The second is the defining the user, which is not necessarily easy in every case.
Research shows that IEC 62443-4-1 is also suitable for use in cloud environments if a few things are remembered when it is implemented.
The work is divided into four parts. The literature review chapter presents previous similar studies on the compatibility of IEC 62443-4-1 and the cloud environment, studies on the compatibility of IEC 62443-4-1 and agile methodologies, as well as mapping work related to the security of a secure cloud application. It was found in the work that there are no previous studies between IEC 62443-4-1 and the cloud environment, since most only mention one of them, whilst the focus of the work itself is only on another topic. One study about agility was found and used for this work. The literature review also found one good work related to a safe cloud environment that will be used as references in later chapters. The suitability is then mapped using an example project. The example project is an application running in a cloud environment to which IEC 62443-4-1 based SDL is applied. The work firstly presents the project in detail and compares it against the Cloud Security Alliance Security Guidance v4.0 book and previous studies on the cloud security. The security features and deficiencies found will be utilized in later stages. After the presentation of the project, all the processes required by the IEC 62443-4-1 SDL are reviewed one by one and justified how they apply to the example project. Finally, the work analyses how well the existing processes of SDL adapt to the project and how well the security features and deficiencies found, have been considered in SDL, and suggests possible additional processes.
When SDL processes are adapted to the example project, it is noticed that most of them are suitable directly to the project and total of four processes are left unselected. The analysis phase shows that the non-selected processes are suitable for the cloud environment and were not selected for the project because it lacked certain features required by these processes. Thus, the analysis shows that all the processes are suitable for the cloud environment, but the work still highlights 21 processes where it is good to keep certain things in mind when applying them to the cloud environment. For example, agile development methods are often involved in cloud development, which requires a different approach to a few processes. The second is the defining the user, which is not necessarily easy in every case.
Research shows that IEC 62443-4-1 is also suitable for use in cloud environments if a few things are remembered when it is implemented.