Towards a Business Process-Driven Framework for Security Engineering with the UML

@inproceedings{Vivas2003TowardsAB,
  title={Towards a Business Process-Driven Framework for Security Engineering with the UML},
  author={Jos{\'e} Luis Vivas and Jos{\'e} A. Montenegro and Javier L{\'o}pez},
  booktitle={ISC},
  year={2003}
}
A challenging task in security engineering concerns the specification and integration of security with other requirements at the top level of requirements engineering. Empirical studies show that it is commonly at the business process level that customers and end users are able to express their security needs. In addition, systems are often developed by automating existing manual business processes. Since many security notions belongs conceptually to the world of business processes, it is… 
Towards a UML 2.0 Extension for the Modeling of Security Requirements in Business Processes
TLDR
A description of the UML 2.0 extension for modeling secure business process through activity diagrams is described and this approach is applied to a typical health-care business process.
A BPMN Extension for the Modeling of Security Requirements in Business Processes
TLDR
The Business Process Modeling Notation extension for modeling secure business process through Business Process Diagrams is summarized and an approach to a typical health-care business process is applied.
Capturing Security Requirements in Business Processes Through a UML 2.0 Activity Diagrams Profile
TLDR
A microprocess is shown through which it is possible to specify and refine security requirements at a high level of abstraction, in a way that they can be incorporated into the development of a software system.
Model-based Security Engineering of Electronic Business Processes
TLDR
A security engineering framework in the domain of business process management that bridges the gap between business process models on one side and the design of proper controls and their configuration on the other side is developed.
Secure Business Processes defined through a UML 2.0 extension
TLDR
This paper presents an extension of the UML 2.0 Activity Diagram which allows to specify security requirements in BP and applies it in a typical business process related to a patient admission in health-care institution.
Security modeling for service-oriented systems using security pattern refinement approach
TLDR
A pattern refinement approach for security modeling to achieve configurable and declarative security, based on the principles of abstraction, refinement, separation-of-concerns and maintainability to achieve flexible configurations of SOA security is proposed.
Designing secure business processes from organisational goal models
TLDR
This work introduces a framework for the design of secure business process models that uses security-oriented goal models as its starting point to capture a socio-technical view of the system to-be and its security requirements during its early design stages.
Specification and formal verification of security requirements
TLDR
This work proposes including security requirements at the top level of development process, together with functional requirements because they are much related, to extract all communication protocols that are involved in the authors' application and their associated security goals.
...
...

References

SHOWING 1-10 OF 33 REFERENCES
Integrating Security Policy Design into the Software Development Process Technical Report B – 01 – 06
TLDR
The paper shows how existing UML model elements can be use d to specify access control policies for distributed object systems and proposes the automatic generation of a policy specification to configure a CORBA-based infrastructure for view-based access control.
Towards Development of Secure Systems Using UMLsec
TLDR
This work exemplifies use of the extension mechanisms of UML and of a (simplified) formal semantics for it to enable developers to make use of established knowledge on security engineering through the means of a widely used notation.
Using abuse case models for security requirements analysis
  • J. McDermott, C. Fox
  • Computer Science
    Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99)
  • 1999
TLDR
A proven object oriented modeling technique is adapted, use cases, to capture and analyze security requirements in a simple way, and its relationship to other security engineering work products is relatively simple, from a user perspective.
Dealing with Security Requirements During the Development of Information Systems
TLDR
Treating security requirements as a class of NFRs is applied to designing secure ISs, which allows reusing generic design knowledge, detecting goal interactions, capturing and reasoning about design rationale, and assessing the degree of goal achievement.
A formal framework for business process modelling and design
Eliciting security requirements by misuse cases
  • G. Sindre, A. Opdahl
  • Computer Science
    Proceedings 37th International Conference on Technology of Object-Oriented Languages and Systems. TOOLS-Pacific 2000
  • 2000
TLDR
This paper suggests how this can be done, extending the diagrams with misuse cases, which makes it possible to represent actions that the system should prevent, together with those actions which it should support.
A language for modelling secure business transactions
TLDR
This work presents a methodology to specify secure protocols, which are usable to automatically conduct business processes, as well as market transactions, that are suitable for specifying and conducting market transactions.
A New Paradigm for Adding Security Into IS Development Methods
TLDR
This paper describes a framework that helps to understand the fundamental barriers preventing the alternative SIS design approaches from more effectively addressing shortcomings, and illustrated with an example of a framework-based solution: meta-notation for adding security into IS development methods.
Business Modeling With UML: Business Patterns at Work
TLDR
Key business modeling concepts are presented, including how to define Business Rules with UML's Object Constraint Language (OCL) and how to use business models with use cases.
An empirical study of industrial security-engineering practices
...
...