Towards a Security Engineering Process Model for Electronic Business Processes

Business process management (BPM) and accompanying systems aim at enabling enterprises to become adaptive. In spite of the dependency of enterprises on secure business processes, BPM languages and techniques provide only little support for security. Several complementary approaches have been proposed for security in the domain of BPM. Nevertheless, support for a systematic procedure for the development of secure electronic business processes is still missing. In this paper, we pinpoint the need for a security engineering process model in the domain of BPM and identify key requirements for such process model.Comment: Ninth European Dependable Computing Conference (EDCC 2012

Web engineering security: essential elements

Security is an elusive target in today’s high-speed and extremely complex, Web enabled, information rich business environment. This paper presents the idea that there are essential, basic organizational elements that need to be identified, defined and addressed before examining security aspects of a Web Engineering Development process. These elements are derived from empirical evidence based on a Web survey and supporting literature. This paper makes two contributions. The first contribution is the identification of the Web Engineering specific elements that need to be acknowledged and resolved prior to the assessment of a Web Engineering process from a security perspective. The second contribution is that these elements can be used to help guide Security Improvement Initiatives in Web Engineering

A proposed case for the cloud software engineering in security

This paper presents Cloud Software Engineering in Security (CSES) proposal that combines the benefits from each of good software engineering process and security. While other literature does not provide a proposal for Cloud security as yet, we use Business Process Modeling Notation (BPMN) to illustrate the concept of CSES from its design, implementation and test phases. BPMN can be used to raise alarm for protecting Cloud security in a real case scenario in real-time. Results from BPMN simulations show that a long execution time of 60 hours is required to protect real-time security of 2 petabytes (PB). When data is not in use, BPMN simulations show that the execution time for all data security rapidly falls off. We demonstrate a proposal to deal with Cloud security and aim to improve its current performance for Big Data

The Web Engineering Security (WES) methodology

The World Wide Web has had a significant impact on basic operational economical components in global information rich civilizations. This impact is forcing organizations to provide justification for security from a business case perspective and to focus on security from a web application development environment perspective. This increased focus on security was the basis of a business case discussion and led to the acquisition of empirical evidence gathered from a high level Web survey and more detailed industry surveys to analyse security in the Web application development environment. Along with this information, a collection of evidence from relevant literature was also gathered. Individual aspects of the data gathered in the previously mentioned activities contributed to the proposal of the Essential Elements (EE) and the Security Criteria for Web Application Development (SCWAD). The Essential Elements present the idea that there are essential, basic organizational elements that need to be identified, defined and addressed before examining security aspects of a Web Engineering Development process. The Security Criteria for Web Application Development identifies criteria that need to be addressed by a secure Web Engineering process. Both the EE and SCWAD are presented in detail along with relevant justification of these two elements to Web Engineering. SCWAD is utilized as a framework to evaluate the security of a representative selection of recognized software engineering processes used in Web Engineering application development. The software engineering processes appraised by SCWAD include: the Waterfall Model, the Unified Software Development Process (USD), Dynamic Systems Development Method (DSDM) and eXtreme Programming (XP). SCWAD is also used to assess existing security methodologies which are comprised of the Orion Strategy; Survivable / Viable IS approaches; Comprehensive Lightweight Application Security Process (CLASP) and Microsoft’s Trust Worthy Computing Security Development Lifecycle. The synthesis of information provided by both the EE and SCWAD were used to develop the Web Engineering Security (WES) methodology. WES is a proactive, flexible, process neutral security methodology with customizable components that is based on empirical evidence and used to explicitly integrate security throughout an organization’s chosen application development process. In order to evaluate the practical application of the EE, SCWAD and the WES methodology, two case studies were conducted during the course of this research. The first case study describes the application of both the EE and SCWAD to the Hunterian Museum and Art Gallery’s Online Photo Library (HOPL) Internet application project. The second case study presents the commercial implementation of the WES methodology within a Global Fortune 500 financial service sector organization. The assessment of the WES methodology within the organization consisted of an initial survey establishing current security practices, a follow-up survey after changes were implemented and an overall analysis of the security conditions assigned to projects throughout the life of the case study

Managing Security Requirements: Towards Better Alignment Between Information Systems And Business

Information Systems are increasingly becoming essential to the success of business organizations. They play a central role in the success of almost all components of the organization such as business decision-making, business strategy formulation, business goal modeling, managing organizational resources, structure, managing organizational data etc. However, protecting information systems and organizational resources from security threats is a critical task in the management of the business, which alternately, negatively affects the alignment process between business and information systems. Managing information security within business organizations calls for a clear understanding of the viewpoint of business and the architecture of the system that is being used in the organization. This paper presents a requirements engineering based approach to modeling and maping the issue of information security at an early stage of the system’s development life cycle in the context of alignment between business and information systems

Evolution of Software Engineering in the Changing Scenario of Modern Hardware Architecture, Semantic Web and Cloud Computing Platform

Traditional way of software engineering is no longer fully suitable in the changing scenario of modern hardwareand software architecture of parallel and distributed computing on Semantic web and Cloud computing platform. A parallelhardware architecture can support high performance computing but needs changes in programming style. Also the capabilityof Semantic web can link everything on the internet making an interoperable intelligent system. And with this capabilitymany beneficial business models like Web services and Cloud computing platform have been conceptualized. Cloudcomputing is the most anticipated future trend of computing. These changes in hardware and software architecture means weneed to re-visit the traditional software engineering process models meant for a single computer system. This paper firstsurveys the evolution of hardware architecture, newer business models, newer software applications and then analyses theneed for changes in software engineering process models to leverage all the benefits of the newer business models. Thispaper also emphasizes the vulnerability of the web applications and cloud computing platform in terms of risk managementof web applications in general and privacy and security of customer information in shared cloud platform which maythreaten the adoption of the cloud platform.Keywords/Index Terms— Agile Process Model , Cloud Computing Platform, Privacy and Security Issues, RiskManagement, Semantic Web, Software Evolution

Global IT and IT-enabled services

Several topics that were covered during the IEEE Symposium on Advanced Management of Information for Globalized Enterprises (AMIGE) held in September 2008, in Tianjin, China, are presented. The symposium focused on the globalized information management, a multidisciplinary covering such fields as computer science, industrial engineering, information systems, management science and engineering, and operations management. The research in global IT and IT-enabled services covers a wide spectrum of topics that include business processes and management in a global setting, such as global workflow technologies and applications, global information system integration and interaction, and global knowledge management. One of the topics focused on the importance of business process modeling technologies and security requirements in order to derive a trust federation from formally described business process models.published_or_final_versionSpringer Open Choice, 21 Feb 201

Capturing Security Requirements Using Essential Use Cases (EUCs)

Capturing security requirements is a complex process, but it is crucial to the success of a secure software product. Hence, requirements engineers need to have security knowledge when eliciting and analyzing the security requirements from business requirements. However, the majority of requirements engineers lack such knowledge and skills, and they face difficulties to capture and understand many security terms and issues. This results in capturing inaccurate, inconsistent and incomplete security requirements that in turn may lead to insecure software systems. In this paper, we describe a new approach of capturing security requirements using an extended Essential Use Cases (EUCs) model. This approach enhances the process of capturing and analyzing security requirements to produce accurate and complete requirements. We have evaluated our prototype tool using usability testing and assessment of the quality of our generated EUC security patterns by security engineering experts

An Experience Report of Eliciting Security Requirements from Business Processes

Väikesed ja keskmise suurusega ettevõtted näevad vaeva, et leida strateegiaid saavutamaks kõrgetasemelist infoturvet. Tihti ei ole need ettevõtted teadlikud infotehnoloogiaga seonduvatest riskidest. Lisaks suurendab haavatavuse riski finants- ja IT osakondade vähesus, kellel ei ole oma teabeturbe ametnikku. Äriprotsesside juhtimise ning joondamine, mis omakorda avaldub turvalisuse vajaduste esiletoomises kasutades äriprotsessidepõhist lähenemist, pakub sellele sektoripõhisele teemale oma lahenduse, võimaldades juurutada turvalisuse riskidele orienteeritud mudeleid ka ärianalüütikute jaoks. Kontekstuaalsetel valdkondadel põhinevad mustrid illustreerivad ettevõttevarasid, haavatavust ja riskikohtlemist turvanõuete kujul. See saavutatakse kasutades äriprotsesside mudelit, Notation 2.0 modelleerimiskeelt ning spetsiaalselt projekteeritud lahendusi, mis lisanduvad IT turvalisuse valdkondkonnale. Selle tulemuseks on kohaldatav lahendus, mis kutsub esile turvanõuded. Selle uurimuse keskmes on mustrite rakendumine, mõõtmaks nende sooritust saksa SME-s. Ärivahendite ja ohutusalaste eesmärkide määramise järel identifitseeriti mitmed mustri esinemised, mis kulmineerusid mitmete ohutusnõuete määramisega. Rakendamise oskuste ja kasutatavusega seoses ettevõttega, tõi esile väga selge mustrite esinemise. Lisaks arendati eelnevaga seoses uus muster kasutades informatsioonisüsteemi turvariski juhtimise domeeni (Information System Security Risk Management Domain) mudelit. Lõpetuseks soovitab autor käesolevas uurimuses prioritiseerimise ja inspektsiooni meetodite kaasamist ohutuskvaliteedi nõuete tehnika metoodikast ning organisatsioonilise koosseisu teoreemi laiendust, mis omakorda võimaldab SREBP-i täiendavat automatiseerimist. Need muudatused toovad kaasa käsitluse, mille alusel suureneb väikese ja keskmise suurusega ettevõtete turvalisus. Märksõnad: väiksed ja keskmise suurusega ettevõtted, äriprotsesside juhtimine, ohutusnõuete esilekutsumine äriprotsesside baasil, ohutusriskialased mustrid, ohutusnõuded, mustri esinemised, informatsioonisüsteemi turvariski juhtimise domeeni mudel.Small and Medium Sized Enterprises struggle to find strategies to achieve a high level of information security or are unaware of the risks posed by information technology. A lack of finance and IT departments that miss an information security officer increase the risk of exploited vulnerabilities. The alignment of Business Process Management and Security engineering manifested in the Security Requirements Elicitation using Business Processes approach provides a solution of this sector wide issue by introducing Security Risk-oriented Patterns applicable also for Business analysts. Patterns that are based on contextual areas illustrate business assets, vulnerabilities and risk treatment in form of security requirements. This is achieved by using the Business Process Model and Notation 2.0 modeling language and specifically engineered extensions which add the IT security domain. Outcome of this bridging is an applicable solution to elicit security requirements. Core of this thesis is the pattern application to measure their performance in a German SME. After business assets and security objectives were set, several pattern occurrences have been identified that resulted in a number of security requirements. Implementation abilities and usefulness with regards to the company underlined strong pattern performance. Moreover, a new pattern has been developed by using the Information System Security Risk Management Domain Model. Finally, the inclusion of prioritization and inspection techniques from the Security Quality Requirements Engineering methodology is suggested and extensions from the theorem of organizational configurations that enable further automation of SREBP. These modifications result in an approach that increases the security of Small and Medium Sized Enterprises. Keywords: Small and Medium Sized Enterprises; Business Process Management; Security Requirements Elicitation using Business Processes; Security Risk-oriented Patterns; security requirements; pattern occurrences; Information System Security Risk Management Domain Mode

Business process security maturity: a paradigm convergence

Information technology developments in software and hardware have enabled radical changes in information systems, culminating in the paradigm Business Process Management. There has been a concomitant rise in the importance of information security and security engineering due to the increased reliance by society on information. Information is seen as a critical success factor which needs protection. Information security is the response to increased hazards created through recent innovations in Web technology and the advent of intra and inter enterprise-wide systems. Security engineering is based on a variety of codes of practice and security metrics which aim at ameliorating these increased security hazards. Its aim is to produce a balanced set of security needs which are integrated into the system activities to establish confidence in the effectiveness of the security counter-measures. It is generally accepted that security should be applied in an integrated approach, for example, in Information Systems development. This has proved to be a noble thought but is the exception to the rule. Security, historically, is generally applied as an after-thought in an Information Technology implementation. This motivated the concept of formulating a model of integrating security inherently within the paradigm of BPM. The overarching requirements of the model are to align the overall organisational security initiatives and ensure continuous improvement through constant evaluation and adaptation of the security processes. It is the intention of this research to show that these requirements are achievable through aligning the process management methodology of BPM, with the security paradigms of Information Security Management (using the ISO 17799 standard) and security engineering (using the Systems Security Engineering Capability Maturity Model – SSE-CMM). The aim of the Business Process Security Maturity model as the output of this research, is to link the SSE-CMM, as the security metric and appraisal method, to the ISO 17799 security standard, which provides the guidance for the information security management framework and security control selection, within the Business Process Management environment. The SSE-CMM, as the security version of the Capability Maturity Model, provides the necessary strategy to control the security engineering processes that support the information systems and it maintains that as processes mature they become more predictable, effective and manageable. The aim of the model is to provide an integrated, mature security strategy within the business process and monitor and correct the security posture of the implemented counter-measures