Modern enterprise systems need to implement and comply to increasingly complex security, compliance, and privacy policies. To address this need, we developed SecureBPMN, a model-driven security approach for process-driven systems.

SecureBPMN: model-driven security for process-driven systems

SecureBPMN is a model-driven security approach for business-process-driven systems. SecureBPMN integrates security and privacy aspects into BPMN. It allows modeling, formally analyze SecureBPMN models as well as to generate code and configuration artifacts.

The SecureBPMN Modeling and Verification Environment

On the one hand, SecureBPMN provides a domain-specific modeling language that allows to model security aspects (e.g., access control, separation of duty, confidentiality). SecurePBPMN is defined as a metamodel that can easily be integrated into BPMN and, thus, can be used for modeling secure and business processes as well as secure service compositions.

On the other hand, SecureBPMN provides and end-to-end modeling, verification, and validation approach for building systems that comply to complex security, privacy, or compliance requirements. The SecureBPMN tool chain does not only support modeling of secure business process and service compositions: it also supports the formal analysis both on the level of SecureBPMN models and refinement properties between the model and the actual implementation.

The SecureBPMN tool chain is free software: its source code is available in our git repository.

Important Publications

[1]
M. Kohler, A. D. Brucker, and A. Schaad, ProActive Caching: Generating caching heuristics for business process environments,” in International conference on computational science and engineering (CSE), vol. 3, Los Alamitos, CA, USA: IEEE Computer Society, 2009, pp. 207–304. doi: 10.1109/CSE.2009.177.
[2]
M. Kohler and A. D. Brucker, “Caching strategies: An empirical evaluation,” in International workshop on security measurements and metrics (MetriSec), New York, NY, USA: ACM Press, 2010, pp. 1–8. doi: 10.1145/1853919.1853930.
[3]
G. Monakova, A. D. Brucker, and A. Schaad, “Security and safety of assets in business processes,” in ACM symposium on applied computing (SAC), 2012, pp. 1667–1673. doi: 10.1145/2245276.2232045.
[4]
A. D. Brucker, I. Hang, G. Lückemeyer, and R. Ruparel, SecureBPMN: Modeling and enforcing access control requirements in business processes,” in ACM symposium on access control models and technologies (SACMAT), 2012, pp. 123–126. doi: 10.1145/2295136.2295160.
[5]
G. Monakova, C. Severin, A. D. Brucker, U. Flegel, and A. Schaad, “Monitoring security and safety of assets in supply chains,” in Future security, 2012, vol. 318, pp. 9–20. doi: 10.1007/978-3-642-33161-9_3.
[6]
A. D. Brucker and I. Hang, “Secure and compliant implementation of business process-driven systems,” in Joint workshop on security in business processes (SBP), 2012, vol. 132, pp. 662–674. doi: 10.1007/978-3-642-36285-9_66.
[7]
L. Compagna, P. Guilleminot, and A. D. Brucker, “Business process compliance via security validation as a service,” in IEEE sixth international conference on software testing, verification and validation (ICST), 2013, pp. 455–462. doi: 10.1109/ICST.2013.63.
[8]
A. D. Brucker, F. Malmignati, M. Merabti, Q. Shi, and B. Zhou, “A framework for secure service composition,” in International conference on information privacy, security, risk and trust (PASSAT), Los Alamitos, CA, USA: IEEE Computer Society, 2013, pp. 647–652. doi: 10.1109/SocialCom.2013.97.
[9]
A. D. Brucker, “Integrating security aspects into business process models,” it - Information Technology, vol. 55, no. 6, pp. 239–246, Dec. 2013, doi: 10.1524/itit.2013.2004.
[10]
A. D. Brucker, “Using SecureBPMN for modelling security-aware service compositions,” in Secure and trustworthy service composition: The aniketos approach, A. D. Brucker, F. Dalpiaz, P. Giorgini, P. H. Meland, and E. Rios, Eds. Heidelberg: Springer-Verlag, 2014, pp. 110–120. doi: 10.1007/978-3-319-13518-2_8.
[11]
A. D. Brucker, F. Malmignati, M. Merabti, Q. Shi, and B. Zhou, “Aniketos service composition framework: Analysing and ranking of secure services,” in Secure and trustworthy service composition: The aniketos approach, A. D. Brucker, F. Dalpiaz, P. Giorgini, P. H. Meland, and E. Rios, Eds. Heidelberg: Springer-Verlag, 2014, pp. 121–135. doi: 10.1007/978-3-319-13518-2_9.
[12]
A. D. Brucker, L. Compagna, and P. Guilleminot, “Compliance validation of secure service compositions,” in Secure and trustworthy service composition: The aniketos approach, A. D. Brucker, F. Dalpiaz, P. Giorgini, P. H. Meland, and E. Rios, Eds. Heidelberg: Springer-Verlag, 2014, pp. 136–149. doi: 10.1007/978-3-319-13518-2_10.
[13]
M. Asim, A. Yautsiukhin, A. D. Brucker, B. Lempereur, and Q. Shi, “Security policy monitoring of composite services,” in Secure and trustworthy service composition: The aniketos approach, A. D. Brucker, F. Dalpiaz, P. Giorgini, P. H. Meland, and E. Rios, Eds. Heidelberg: Springer-Verlag, 2014, pp. 192–202. doi: 10.1007/978-3-319-13518-2_13.
[14]
A. D. Brucker, F. Dalpiaz, P. Giorgini, P. H. Meland, and E. Rios, Eds., Secure and trustworthy service composition: The aniketos approach. Heidelberg: Springer-Verlag, 2014. doi: 10.1007/978-3-319-13518-2.
[15]
M. Salnitri, A. D. Brucker, and P. Giorgini, “From secure business process models to secure artifact-centric specifications,” in Enterprise, business-process and information systems modeling BPMDS, 2015, pp. 246–262. doi: 10.1007/978-3-319-19237-6_16.
[16]
A. D. Brucker, B. Zhou, F. Malmignati, Q. Shi, and M. Merabti, “Modelling, validating, and ranking of secure service compositions,” Software: Practice and Expierence (SPE), vol. 47, pp. 1912–1943, Dec. 2017, doi: 10.1002/spe.2513.
[17]
M. Asim, A. Yautsiukhin, A. D. Brucker, T. Baker, Q. Shi, and B. Lempereur, “Security policy monitoring of BPMN-based service compositions,” Journal of Software: Evolution and Process, 2018, doi: 10.1002/smr.1944.