Companies adopt agile methodologies and DevOps to facilitate efficient development and deployment of software-intensive products. This, in turn, introduces challenges in relation to security standard compliance traditionally following a more linear workflow. This is especially a challenge for the engineering of products and services associated with critical infrastructures. To support companies in their transition towards DevOps, this paper presents an adaptation of DevOps according to security regulations and standards. We report on our longitudinal study at Siemens AG, consisting of several individual sub-studies in the inception, validation, and initial adoption of our framework based on RefA as well as the implications for practice. RefA is a prescriptive model of a security compliant DevOps lifecycle based on the IEC 62443-4-1 standard. The overall framework is aimed at professionals, not only security experts, being able to use it on implementing DevOps processes while remaining compliant with security norms. We demonstrate how RefA facilitates the transfer of security compliance knowledge to product development teams. This knowledge transfer supports the agility aim of ensuring that cross-functional teams have all the skills needed to deliver the compliant products.

翻译：企业采用敏捷方法与DevOps以促进软件密集型产品的高效开发与部署。然而，这同时也带来了与遵循传统线性工作流的安全标准合规性相关的挑战。对于涉及关键基础设施的产品与服务工程而言，此挑战尤为突出。为支持企业向DevOps转型，本文提出了一种依据安全法规与标准调整DevOps的框架。我们报告了在西门子股份公司进行的纵向研究，该研究包含多个子研究，涵盖基于RefA的框架的构思、验证与初步应用阶段及其实际影响。RefA是一种基于IEC 62443-4-1标准、规定安全合规DevOps生命周期的规范性模型。该整体框架面向专业人员（不仅限于安全专家），使其能够在实施DevOps流程的同时保持符合安全规范。我们展示了RefA如何促进安全合规知识向产品开发团队的传递。这种知识转移支持了敏捷目标，即确保跨职能团队具备交付合规产品所需的所有技能。