Eliciting Security Requirements for Business Processes of Legacy Systems

The modernisation of enterprise legacy systems, without compromises in their functionality, is a demanding and time consuming endeavour. To retain the underlying business behaviour during their modernisation, the MARBLETM framework has been developed for the extraction of business process models from their source code. Building on top of that work, in this paper we propose an integrated approach for transforming the extracted legacy process models into Secure Tropos goal models. Such models facilitate the elicitation of security requirements in a high level of abstraction, which are then incorporated back into the process models of the modernised systems as security features. Therefore high level models can be derived from legacy source code with minimal manual intervention, where security can be elaborated by non-technical stakeholders in alignment with organisational objectives.

[1]  Karthikeyan Ponnalagu,et al.  Goal-Driven Business Process Derivation , 2011, ICSOC.

[2]  Haralambos Mouratidis,et al.  Secure Tropos: a Security-Oriented Extension of the Tropos Methodology , 2007, Int. J. Softw. Eng. Knowl. Eng..

[3]  Christopher J. Pavlovski,et al.  Non-Functional Requirements in Business Process Modeling , 2008, APCCM.

[4]  Bing Wu,et al.  Legacy Information Systems: Issues and Directions , 1999, IEEE Softw..

[5]  Mario Piattini,et al.  A family of case studies on business process mining using MARBLE , 2012, J. Syst. Softw..

[6]  Mario Piattini,et al.  MARBLE. A business process archeology tool , 2011, 2011 27th IEEE International Conference on Software Maintenance (ICSM).

[7]  Ricardo Pérez-Castillo,et al.  MARBLE: Modernization approach for recovering business processes from legacy information systems , 2012, 2012 28th IEEE International Conference on Software Maintenance (ICSM).

[8]  Haralambos Mouratidis,et al.  A Framework for Secure Migration Processes of Legacy Systems to the Cloud , 2015, CAiSE Workshops.

[9]  Haralambos Mouratidis,et al.  A CASE Tool to Support Automated Modelling and Analysis of Security Requirements, Based on Secure Tropos , 2011, CAiSE Forum.

[10]  Paolo Giorgini,et al.  Security Requirements Engineering for Secure Business Processes , 2011, BIR Workshops.

[11]  Stefan Biffl,et al.  Secure business process management: a roadmap , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[12]  John Mylopoulos,et al.  Taking goal models downstream: A systematic roadmap , 2014, 2014 IEEE Eighth International Conference on Research Challenges in Information Science (RCIS).

[13]  Aditya K. Ghose,et al.  Relating Business Process Models to Goal-Oriented Requirements Models in KAOS , 2006, PKAW.

[14]  Yijun Yu,et al.  Requirements-Driven Design and Configuration Management of Business Processes , 2007, BPM.

[15]  Amy Lo,et al.  From Business Models to Service-Oriented Design: A Reference Catalog Approach , 2007, ER.

[16]  Jan Jürjens,et al.  From goal-driven security requirements engineering to secure design , 2010 .

[17]  Mario Piattini,et al.  Business process archeology using MARBLE , 2011, Inf. Softw. Technol..

[18]  Mario Piattini,et al.  Assessing the best-order for business process model refactoring , 2013, SAC '13.

[19]  Mario Piattini,et al.  Graph-Based Business Process Model Refactoring , 2013, SIMPDA.

[20]  John Mylopoulos,et al.  Security and privacy requirements analysis within a social setting , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[21]  Michael E. Whitman Enemy at the gate: threats to information security , 2003, CACM.

[22]  Mario Piattini,et al.  A common criteria based security requirements engineering process for the development of secure information systems , 2007, Comput. Stand. Interfaces.

[23]  Stefanie Rinderle-Ma,et al.  A systematic review on security in Process-Aware Information Systems - Constitution, challenges, and future directions , 2014, Inf. Softw. Technol..

[24]  Oscar Pastor,et al.  GoBIS: An integrated framework to analyse the goal and business process perspectives in information systems , 2015, Inf. Syst..

[25]  Jane Grimson,et al.  A Survey of Research into Legacy System Migration , 2007 .

[26]  Ganna Frankova,et al.  Secure Workflow Development from Early Requirements Analysis , 2008, 2008 Sixth European Conference on Web Services.

[27]  Giancarlo Guizzardi,et al.  Bridging the Gap between Goals, Agents and Business Processes , 2010, iStar.

[28]  Haralambos Mouratidis,et al.  Modelling secure cloud systems based on system requirements , 2015, 2015 IEEE 2nd Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE).

[29]  Paolo Giorgini,et al.  Transforming Socio-Technical Security Requirements in SecBPMN Security Policies , 2014, iStar.

[30]  Mario Luca Bernardi,et al.  Reverse Engineering of Aspect Oriented Systems to Support their Comprehension, Evolution, Testing and Assessment , 2008, 2008 12th European Conference on Software Maintenance and Reengineering.

[31]  Bing Wu,et al.  Legacy System Migration : A Legacy Data Migration Engine , 1997 .

[32]  Anthony Cleve,et al.  Dynamic Analysis of SQL Statements for Data-Intensive Applications Reverse Engineering , 2008, 2008 15th Working Conference on Reverse Engineering.

[33]  Eng Wah Lee,et al.  Business process management (BPM) standards: a survey , 2009, Bus. Process. Manag. J..

[34]  Geert Poels,et al.  A Goal-Oriented Requirements Engineering Method for Business Processes , 2010, CAiSE Forum.

[35]  Marco Pistore,et al.  Requirements-Driven Verification of Web Services , 2004, Electron. Notes Theor. Comput. Sci..

[36]  Mario Piattini,et al.  Secure business process model specification through a UML 2.0 activity diagram profile , 2011, Decis. Support Syst..