Towards a Business Process-Driven Framework for Security Engineering with the UML

A challenging task in security engineering concerns the specification and integration of security with other requirements at the top level of requirements engineering. Empirical studies show that it is commonly at the business process level that customers and end users are able to express their security needs. In addition, systems are often developed by automating existing manual business processes. Since many security notions belongs conceptually to the world of business processes, it is natural to try to capture and express them in the context of business models in which moreover customers and end users feel most comfortable. In this paper, based on experience drawn from an ongoing work within the CASENET project [1], we propose a UML-based business process-driven framework for the development of security-critical systems.

[1]  Detmar W. Straub,et al.  DESIGNING SECURE INFORMATION SYSTEMS AND SOFTWARE , 2002 .

[2]  M. Koch,et al.  Integrating Security Policy Design into the Software Development Process Technical Report B – 01 – 06 , 2001 .

[3]  Hector J. Levesque,et al.  The Frame Problem and Knowledge-Producing Actions , 1993, AAAI.

[4]  Ross J. Anderson Why cryptosystems fail , 1993, CCS '93.

[5]  Hector J. Levesque,et al.  The Situation Calculus with Sensing and Indexical Knowledge , 1995 .

[6]  John Mylopoulos,et al.  Representing and Using Nonfunctional Requirements: A Process-Oriented Approach , 1992, IEEE Trans. Software Eng..

[7]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[8]  Hector J. Levesque,et al.  A Situation Calculus Approach to Modeling and Programming Agents , 1999 .

[9]  Ralph E. Johnson,et al.  Design Patterns: Abstraction and Reuse of Object-Oriented Design , 1993, ECOOP.

[10]  Tim Kelly,et al.  Deriving safety requirements using scenarios , 2001, Proceedings Fifth IEEE International Symposium on Requirements Engineering.

[11]  Rayford B. Vaughn,et al.  An empirical study of industrial security-engineering practices , 2002, J. Syst. Softw..

[12]  Richard Baskerville,et al.  A New Paradigm for Adding Security Into IS Development Methods , 2001, Conference on Information Security Management & Small Systems Security.

[13]  Premkumar T. Devanbu,et al.  Software engineering for security: a roadmap , 2000, ICSE '00.

[14]  G. Dhillon Managing information system security , 1997 .

[15]  Lawrence Chung,et al.  Dealing with Security Requirements During the Development of Information Systems , 1993, CAiSE.

[16]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[17]  Markus Schumacher,et al.  Security Engineering with Patterns: Origins, Theoretical Models, and New Applications , 2003 .

[18]  John McCarthy,et al.  SOME PHILOSOPHICAL PROBLEMS FROM THE STANDPOINT OF ARTI CIAL INTELLIGENCE , 1987 .

[19]  Kees M. van Hee,et al.  Use Cases as Workflows , 2003, Business Process Management.

[20]  Hector J. Levesque,et al.  ConGolog, a concurrent programming language based on the situation calculus , 2000, Artif. Intell..

[21]  Günther Pernul,et al.  A language for modelling secure business transactions , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[22]  J. Hernández-Orallo Especificación formal de Protocolos Criptográficos en Cálculo de Situaciones , 2000 .

[23]  Dimitris Plexousakis,et al.  A Formal Framework for Business Process Modeling and Design , 2002 .

[24]  Hans Eriksson,et al.  Business Modeling With UML: Business Patterns at Work , 2000 .

[25]  Jan Jürjens,et al.  Towards Development of Secure Systems Using UMLsec , 2001, FASE.

[26]  Ivar Jacobson,et al.  The Unified Software Development Process , 1999 .

[27]  Mikko T. Siponen,et al.  Designing secure information systems and software:critical evaluation of the existing approaches and a new paradigm , 2002 .

[28]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2000, Proceedings 37th International Conference on Technology of Object-Oriented Languages and Systems. TOOLS-Pacific 2000.

[29]  Peter Coad,et al.  Object-oriented patterns , 1992, CACM.