Abstract
A challenging task in security engineering concerns the specification and integration of security with other requirements at the top level of requirements engineering. Empirical studies show that it is commonly at the business process level that customers and end users are able to express their security needs. In addition, systems are often developed by automating existing manual business processes. Since many security notions belongs conceptually to the world of business processes, it is natural to try to capture and express them in the context of business models in which moreover customers and end users feel most comfortable. In this paper, based on experience drawn from an ongoing work within the CASENET project [1], we propose a UML-based business process-driven framework for the development of security-critical systems.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Allenby, K., Kelly, T.: Deriving safety requirements using scenarios. In: Fifth IEEE International Symposium on Requirements Engineering (RE 2001), pp. 228–235. IEEE Computer Society Press, Los Alamitos (2001)
Anderson, R.J.: Why cryptosystems fail. Communications of the Association for Computing Machinery 37(11), 32–40 (1994)
Brose, G., Koch, M., Löhr, K.-P.: Integrating security policy design into the software development process. Technical Report B-01-06, Institut für Informatik,Freie Universität Berlin (November 2001)
Chaudron, M., van Hee, K., Somers, L.: Use cases as workflows. In: van der Aalst, W.M.P., ter Hofstede, A.H.M., Weske, M. (eds.) BPM 2003. LNCS, vol. 2678, pp. 88–103. Springer, Heidelberg (2003)
Chung, L.: Dealing with security requirements during the development of information systems. In: Rolland, C., Cauvet, C., Bodart, F. (eds.) CAiSE 1993. LNCS, vol. 685, p. 234. Springer, Heidelberg (1993)
Coad, P.: Object-oriented patterns. Communications of the ACM 35(9), 153–159 (1993)
Devanbu, P.T., Stubblebine, S.G.: Software engineering for security. In: Proceedings of the 22th International Conference on Software Engineering (ICSE 2000), June 4-11, pp. 227–240. ACM Press, New York (2000)
Dhillon, G.: Managing Information System Security. Macmillan education, Limited (1997)
OMG Document. OMG XML Metadata Interchange (XMI)Specification, v1.2 (2002)
OMG Document. Initial Response to UML 2.0 OCL RFP ad/ 00-09-03 (UML 2.0 OCL) (2003)
Eriksson, H.-E., Penker, M.: Business Modelling with UML: Business Patterns at Work. John Wiley & Sons, Chichester (2000)
Fallside, D.C.: XML Schema, W3C Recommendation (2001)
Gamma, E., Helm, R., Johnson, R., Vlissides, J.: Design patterns: Abstraction and reuse of object-oriented design. In: Nierstrasz, O. (ed.) ECOOP 1993. LNCS, vol. 707, pp. 406–431. Springer, Heidelberg (1993)
Gamma, E., Helm, R., Johnson, R., Vlissides, J.: Design Patterns. Addison Wesley, Reading (1995)
De Giacomo, G., Lésperance, Y., Levesque, H.J.: ConGolog, A concurrent programming language based on situation calculus. Artificial Intelligence 121(1-2), 109–169 (2000)
Hernández, J., Pinto, J.: Especificación formal de protocolos criptográficos en cálculo de situaciones. Novatica 143, 57–63 (2000)
Jacobson, I., Rumbaugh, J., Booch, G.: The Unified Software Development Process. Object Technology Series. Addison-Wesley, Reading (1999)
Jürjens, J.: Towards development of secure systems using UMLsec. In: Hussmann, H. (ed.) FASE 2001. LNCS, vol. 2029, p. 187. Springer, Heidelberg (2001)
Koubarakis, M., Plexousakis, D.: A formal framework for business process modeling and design. Information Systems 27(5), 299–319 (2002)
Lespérance, Y., Levesque, H.J., Reiter, R.: A situation calculus approach to modeling and programming agents. In: Wooldridge, M.J., Rao, A. (eds.) Foundations of Rational Agency, pp. 275–299. Kluwer Academic Publishers, Dordrecht (1999)
McCarthy, J., Hayes, P.J.: Some philosophical problems from the standpoint of artificial intelligence. Machine Intelligence 4, 463–502 (1969)
McDermott, J., Fox, C.: Using abuse case models for security requirements analysis. In: 15th Annual Computer Security Applications Conference, ACSAC 1999 (1999)
Mylopoulos, J., Chung, L., Nixon, B.: Representing and using nonfunctional requirements: A process-oriented approach. IEEE Transactions on Software Engineering 18(6), 483–497 (1992); Special Issue on Knowledge Representation and Reasoning in Software Engineering
Röhm, A.W., Herrmann, G., Pernul, G.: A language for modelling secure business transactions. In: IEEE Annual Computer Security Application Conference (ACSAC 1999), Phoenix, USA (December 1999)
Rushby, J.: Security requirements specifications: How and what. In: Symposium on Requirements Engineering for Information Security (SREIS), Indianapolis, IN (March 2001)
Scherl, R., Levesque, H., Lesprance, Y.: The situation calculus with sensing and indexical knowledge. In: Koppel, M., Shamir, E. (eds.) Proceedings of BISFAI 1995: The Fourth Bar-Ilan Symposium on Foundations of Artificial Intelligence, Israel, Ramat Gan and Jerusalem, pp. 86–95 (1995)
Scherl, R.B., Levesque, H.J.: The frame problem and knowledgeproducing actions. In: Fikes, R., Lehnert, W. (eds.) Proceedings of the Eleventh National Conference on Artificial Intelligence. American Association for Artificial Intelligence, pp. 695–698. AAAI Press, Menlo Park (1993)
Schneier, B.: Secrets and Lies: Digital Security in a Networked World. John Wiley and Sons, Inc., New York (2000)
Scumacher, M., Roedig, U.: Security engineering with patterns. In: Pattern Languages of Programs 2001, Monticello, IL (2001)
Sindre, G., Opdahl, A.L.: Eliciting security requirements by misuse cases. In: Proc. TOOLS Pacific 2000, November 2000, pp. 174–183 (2000)
Siponen, M.: Designing secure information systems and software. Academic dissertation, University of Oulo (2002)
Siponen, M., Baskerville, R.: A new paradigm for adding security into is development methods. In: Eloff, J.H.P., Labuschagne, L., vom Solms, R., Dhillon, G. (eds.) Advances in Information Security Management & Small Systems Security, pp. 99–111. Kluwer Academic Publishers, Dordrecht (2001)
Vaugh, R., Henning, R., Fox, K.: An empiricakl study of industrial security engineering practices. Journal of Systems and Software (November 2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Vivas, J.L., Montenegro, J.A., López, J. (2003). Towards a Business Process-Driven Framework for Security Engineering with the UML. In: Boyd, C., Mao, W. (eds) Information Security. ISC 2003. Lecture Notes in Computer Science, vol 2851. Springer, Berlin, Heidelberg. https://doi.org/10.1007/10958513_29
Download citation
DOI: https://doi.org/10.1007/10958513_29
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-20176-2
Online ISBN: 978-3-540-39981-0
eBook Packages: Springer Book Archive