Presentation and Validation of Method for Security Requirements Elicitation from Business Processes

2015 ◽  
pp. 20-35 ◽  
Author(s):  
Naved Ahmed ◽  
Raimundas Matulevičius
Keyword(s):  
Business Processes ◽  
Requirements Elicitation ◽  
Security Requirements

Secure Software Development of Cyber-Physical and IoT Systems

2018 ◽  
pp. 7525-7538
Author(s):  
Muthu Ramachandran
Keyword(s):  
Business Processes ◽  
Systems Development ◽  
Cloud Services ◽  
Security Requirements ◽  
Cloud Environment ◽  
Systems Security ◽  
Development Life Cycle ◽  
General Systems ◽  
Secure Software Development

This real-world case study has been used to demonstrate the best practices on business process modelling and component based design for developing cloud services with Build Security In (BSI). BSI techniques, strategies, and processes presented in this article are general systems security principles and are applicable for both a cloud environment and traditional environment (non-cloud environment). The significant contribution of this research is to illustrate the application of the extended system security method known as SysSQUARE to elicit security requirements, identify security threats of data, as well as integrating build-in security techniques by modelling and simulating business processes upfront in the systems development life cycle.

scholarly journals A semi-automated BPMN-based framework for detecting conflicts between security, data-minimization, and fairness requirements

2020 ◽  
Vol 19 (5) ◽  
pp. 1191-1227 ◽  
Author(s):  
Qusai Ramadan ◽  
Daniel Strüber ◽  
Mattia Salnitri ◽  
Jan Jürjens ◽  
Volker Riediger ◽  
...  
Keyword(s):  
Data Storage ◽  
Business Processes ◽  
User Study ◽  
Query Language ◽  
Healthcare Management ◽  
Security Requirements ◽  
Domain Specific ◽  
Trade Offs ◽  
Legal Sanctions ◽  
Context Specific

Abstract Requirements are inherently prone to conflicts. Security, data-minimization, and fairness requirements are no exception. Importantly, undetected conflicts between such requirements can lead to severe effects, including privacy infringement and legal sanctions. Detecting conflicts between security, data-minimization, and fairness requirements is a challenging task, as such conflicts are context-specific and their detection requires a thorough understanding of the underlying business processes. For example, a process may require anonymous execution of a task that writes data into a secure data storage, where the identity of the writer is needed for the purpose of accountability. Moreover, conflicts not arise from trade-offs between requirements elicited from the stakeholders, but also from misinterpretation of elicited requirements while implementing them in business processes, leading to a non-alignment between the data subjects’ requirements and their specifications. Both types of conflicts are substantial challenges for conflict detection. To address these challenges, we propose a BPMN-based framework that supports: (i) the design of business processes considering security, data-minimization and fairness requirements, (ii) the encoding of such requirements as reusable, domain-specific patterns, (iii) the checking of alignment between the encoded requirements and annotated BPMN models based on these patterns, and (iv) the detection of conflicts between the specified requirements in the BPMN models based on a catalog of domain-independent anti-patterns. The security requirements were reused from SecBPMN2, a security-oriented BPMN 2.0 extension, while the fairness and data-minimization parts are new. For formulating our patterns and anti-patterns, we extended a graphical query language called SecBPMN2-Q. We report on the feasibility and the usability of our approach based on a case study featuring a healthcare management system, and an experimental user study.

A BPMN Extension for the Modeling of Security Requirements in Business Processes

2007 ◽  
Vol E90-D (4) ◽  
pp. 745-752 ◽  
Author(s):  
A. RODRIGUEZ ◽  
E. FERNANDEZ-MEDINA ◽  
M. PIATTINI
Keyword(s):  
Business Processes ◽  
Security Requirements

Information flow control for workflow management systems

2014 ◽  
Vol 56 (6) ◽  
Author(s):  
Thomas Bauereiß ◽  
Dieter Hutter
Keyword(s):  
Flow Control ◽  
Information Flow ◽  
Business Processes ◽  
Open Systems ◽  
Workflow Management ◽  
User Interaction ◽  
Security Requirements ◽  
Management Systems ◽  
Workflow Management Systems ◽  
Information Flow Control

AbstractWorkflow management plays an important role in analyzing and automating business processes. Security requirements in workflow management systems are typically mapped to (role-based) access control configurations. This paper focuses on information flow control, taking into account implicit information leaks. The presented approach operates on a specification level in which no executable program is available yet. We illustrate the modeling of a workflow management system as a composition of state-event systems, each representing one of the activities of the workflow. This facilitates distributed deployment and eases verification by splitting up the verification of the overall system into verification of the individual components. Confidentiality requirements are modeled in terms of information flow predicates using the MAKS framework and verified following existing decomposition methodologies, which are adapted for open systems with ongoing user interaction. We discuss the interaction with other security requirements, notably separation of duty.

Sign in / Sign up

Export Citation Format

Share Document