Online Material

OverviewThis repository contains the additional material for the manuscript <b><i>Towards Automated Continuous Security Compliance</i></b>.The manuscript entails three contributionsA definition of continuous security compliancePreliminary challenges in continuous security complianceA roadmap for the investigation and treatment of challenges in continuous security complianceIn this repository, you have access to the additional material for contributions 1. and 2., as there is no additional material for contribution 3.Contribution 1: A definition of continuous security complianceAs we base the definition of continuous security compliance on a definition of continuous compliance, we first performed an ad-hoc literature search for resources mentioning the term "Continuous Compliance" in Scopus (for scientific literature) and via Google Scholar (for grey literature and theses). We read the relevant resources and filtered out where necessary. The resulting 13 resources are listed in form of their titles in the first column of continuous_compliance_definition.csv. Additionally, we denote the type of the resource (Academic Manuscript, Grey Literature, Thesis) in the column "Source Type". Afterward, we extracted the relevant passages (indirectly) defining *Continuous Compliance* into the column "Extracts".Each extract was analyzed for the following charateristicsDoes it define continuous compliance in light of their solution/contribution?Does the definition entail the aspect of continuous effort toward compliance?Does the definition entail the aspect of adherence to requirements stemming from regulatory sources?Does the definition describe continuous compliance as an holisitc integration into the development life-cycleGiven the characteristics of these manuscripts, and our own experience, we define then continuous compliance and based on this define continuous security compliance.Contribution 2: Preliminary challenges in continuous security complianceIn the second contribution, we performed a tertiary literature review.For the full tertiary literature review protocol please consult literature_review_protocol.md.After experimentation, we queried and filtered the final list of relevant resources. This process is described in the protocol, and its outcome is documented in filtering_results.csv.Once filtered, we extracted the challenges following the extraction scheme outlined in the protocol with the results detailed in extraction_results.csv.Afterward, we performed the analysis of the extracted challenges to validate and extend those given by Moyón (Industrial Challenges in Secure Continuous Development). We documented their relations asChallenge (either challenge of Moyón et al. or new challenge) covers the extracted challenge - This means, the extracted challenge supports the challengeChallenge (challenge of Moyón et al.) is covered by extraced challenge - This means, the challenge is of finer granularity than the extraced challenge, hence the extraced challenges is not covered by the challenge and needs to be further analyzed and aggregated into a new challengeChallenge (challenge of Moyón et al.) affects extracted challenge - This information is not necessarily relevant for our contribution, however might support other researchers when analyzing continuous security compliance challenges for relationsFor each decision, we document the reasoning in the column "Reason for relation". The results of this task are documented in challenge_processing_results.csv.