Abstract:Context: Continuous Software Engineering is increasingly adopted in highly regulated domains, raising the need for continuous compliance. Adherence to especially security regulations -- a major concern in highly regulated domains -- renders Continuous Security Compliance of high relevance to industry and research.
Problem: One key barrier to adopting continuous software engineering in the industry is the resource-intensive and error-prone nature of traditional manual security compliance activities. Automation promises to be advantageous. However, continuous security compliance is under-researched, precluding an effective adoption.
Contribution: We have initiated a long-term research project with our industry partner to address these issues. In this manuscript, we make three contributions: (1) We provide a precise definition of the term continuous security compliance aligning with the state-of-art, (2) elaborate a preliminary overview of challenges in the field of automated continuous security compliance through a tertiary literature study, and (3) present a research roadmap to address those challenges via automated continuous security compliance.
What problem does this paper attempt to address?
The problem that this paper attempts to solve is a key obstacle to the adoption of Continuous Software Engineering (CSE) in highly - regulated fields: traditional manual security compliance activities are resource - intensive and error - prone. Automation is regarded as a promising solution, but the research on continuous security compliance is still insufficient, which hinders its effective application.
Specifically, the paper focuses on the following aspects:
1. **Define continuous security compliance**: Provide a precise definition consistent with current research to ensure the consistency and operability of terms.
2. **Identify challenges**: Through a three - level literature study, analyze and verify in detail the challenges in the field of automated continuous security compliance.
3. **Propose a research roadmap**: Develop a research plan aimed at addressing the above - mentioned challenges through automated means and promoting the effective implementation of continuous security compliance.
### Specific description of the problem
In highly - regulated fields (such as healthcare, critical manufacturing, or transportation systems), suppliers must comply with various regulations (such as laws, standards, internal policies, contracts, or best practices) to ensure the quality of the system, including safety, reliability, and privacy protection. However, traditional manual compliance activities can hardly keep up with the rapidly changing development speed of CSE, resulting in high resource consumption and being error - prone.
In addition, although some progress has been made in research on automated compliance checks in recent years, the research on how to achieve automated continuous security compliance in CSE is still insufficient. This makes it difficult for the industry to effectively adopt these methods. Therefore, the paper hopes to fill this research gap through a systematic method and provide guidance for practical applications.
### Goals of the paper
- **Understand the challenges**: Gain in - depth understanding of the challenges of complying with security compliance regulations in CSE projects.
- **Clarify the requirements**: Understand the requirements and constraints of automated continuous security compliance in literature and practice.
- **Analyze the potential**: Evaluate the potential of automation in addressing the identified challenges and its impact on human intervention.
- **Develop solutions**: Based on the above analysis, develop and evaluate automated solutions suitable for the industrial environment.
Through these goals, the paper hopes to promote the research and development in the field of automated continuous security compliance and help organizations in highly - regulated fields better adapt to the rapid development of CSE.