从安全业务流程建模到设计级安全验证

2017 ACM/IEEE 20th International Conference on Model Driven Engineering Languages and Systems (MODELS) Pub Date : 2017-09-17 DOI:10.1109/MODELS.2017.10

Qusai Ramadan, Mattia Salnitri, D. Strüber, J. Jürjens, P. Giorgini

{"title":"从安全业务流程建模到设计级安全验证","authors":"Qusai Ramadan, Mattia Salnitri, D. Strüber, J. Jürjens, P. Giorgini","doi":"10.1109/MODELS.2017.10","DOIUrl":null,"url":null,"abstract":"Tracing and integrating security requirements throughout the development process is a key challenge in security engineering. In socio-technical systems, security requirements for the organizational and technical aspects of a system are currently dealt with separately, giving rise to substantial misconceptions and errors. In this paper, we present a model-based security engineering framework for supporting the system design on the organizational and technical level. The key idea is to allow the involved experts to specify security requirements in the languages they are familiar with: business analysts use BPMN for procedural system descriptions; system developers use UML to design and implement the system architecture. Security requirements are captured via the language extensions SecBPMN2 and UMLsec. We provide a model transformation to bridge the conceptual gap between SecBPMN2 and UMLsec. Using UMLsec policies, various security properties of the resulting architecture can be verified. In a case study featuring an air traffic management system, we show how our framework can be practically applied.","PeriodicalId":162884,"journal":{"name":"2017 ACM/IEEE 20th International Conference on Model Driven Engineering Languages and Systems (MODELS)","volume":"12 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-09-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"19","resultStr":"{\"title\":\"From Secure Business Process Modeling to Design-Level Security Verification\",\"authors\":\"Qusai Ramadan, Mattia Salnitri, D. Strüber, J. Jürjens, P. Giorgini\",\"doi\":\"10.1109/MODELS.2017.10\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Tracing and integrating security requirements throughout the development process is a key challenge in security engineering. In socio-technical systems, security requirements for the organizational and technical aspects of a system are currently dealt with separately, giving rise to substantial misconceptions and errors. In this paper, we present a model-based security engineering framework for supporting the system design on the organizational and technical level. The key idea is to allow the involved experts to specify security requirements in the languages they are familiar with: business analysts use BPMN for procedural system descriptions; system developers use UML to design and implement the system architecture. Security requirements are captured via the language extensions SecBPMN2 and UMLsec. We provide a model transformation to bridge the conceptual gap between SecBPMN2 and UMLsec. Using UMLsec policies, various security properties of the resulting architecture can be verified. In a case study featuring an air traffic management system, we show how our framework can be practically applied.\",\"PeriodicalId\":162884,\"journal\":{\"name\":\"2017 ACM/IEEE 20th International Conference on Model Driven Engineering Languages and Systems (MODELS)\",\"volume\":\"12 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2017-09-17\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"19\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2017 ACM/IEEE 20th International Conference on Model Driven Engineering Languages and Systems (MODELS)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/MODELS.2017.10\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 ACM/IEEE 20th International Conference on Model Driven Engineering Languages and Systems (MODELS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/MODELS.2017.10","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 19

摘要

在整个开发过程中跟踪和集成安全需求是安全工程中的一个关键挑战。在社会技术系统中，系统的组织和技术方面的安全要求目前是分开处理的，这导致了大量的误解和错误。本文提出了一个基于模型的安全工程框架，从组织和技术层面为系统设计提供支持。关键思想是允许相关专家用他们熟悉的语言指定安全需求:业务分析师使用BPMN进行过程系统描述;系统开发人员使用UML来设计和实现系统架构。通过语言扩展SecBPMN2和UMLsec捕获安全需求。我们提供了一个模型转换来弥合SecBPMN2和UMLsec之间的概念差距。使用UMLsec策略，可以验证生成的体系结构的各种安全属性。在一个以空中交通管理系统为特色的案例研究中，我们展示了如何实际应用我们的框架。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

From Secure Business Process Modeling to Design-Level Security Verification

Tracing and integrating security requirements throughout the development process is a key challenge in security engineering. In socio-technical systems, security requirements for the organizational and technical aspects of a system are currently dealt with separately, giving rise to substantial misconceptions and errors. In this paper, we present a model-based security engineering framework for supporting the system design on the organizational and technical level. The key idea is to allow the involved experts to specify security requirements in the languages they are familiar with: business analysts use BPMN for procedural system descriptions; system developers use UML to design and implement the system architecture. Security requirements are captured via the language extensions SecBPMN2 and UMLsec. We provide a model transformation to bridge the conceptual gap between SecBPMN2 and UMLsec. Using UMLsec policies, various security properties of the resulting architecture can be verified. In a case study featuring an air traffic management system, we show how our framework can be practically applied.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2017 ACM/IEEE 20th International Conference on Model Driven Engineering Languages and Systems (MODELS)

自引率

0.00%

发文量