Transition between process models (BPMN) and service models (WS-BPEL and other standards): A systematic review

BPMN and BPEL have become de facto standards for modeling of business processes and imple-mentation of business processes via Web services. There is a quintessential problem of discrep-ancy between these two approaches as they are applied in different phases of lifecycle and theirfundamental concepts are different — BPMN is a graph based language while BPEL is basicallya block-based programming language. This paper shows basic concepts and gives an overviewof research and ideas which emerged during last two years, presents state of the art and possiblefuture research directions. Systematic literature review was performed and critical review wasgiven regarding the potential of the given solutions

An Extension of Business Process Model and Notation for Security Risk Management

Kaasaegsed infosüsteemide arendamise metoodikad hõlmavad erinevaid tehnilisi äriprotsesside modelleerimise meetmeid. Äriprotsesside modelleerimiseks kasutatav keel (BPMN) on tänapäeval muutunud üheks standartseks meetmeks, mis edukalt rakendatakse infosüsteemide loomisel ning edasi arendamisel selleks, et ettevõtete äriprotsesse kirjeldada ja modelleerida.Vaatamata sellele, et BPMN on hea töörist, mille abil on võimalik ettevõtte äriprotsesse mõistma ja esitama, see ei võimalda äriprotsesside modelleerimisel adresseerida süsteemi turvalisuse aspekte. Autor leiab, et see on BPMN nõrk külg, selle pärast, et turvalise infosüsteemi arendamiseks on oluline nii äriprotsesse kui ka süsteemi turvalisust vaadeldada tervikuna. Käesolevas magistritöös autor töötab välja BPMN 2.0 keele jaoks uusi elemente, mis edaspidi peavad võimaldama adresseerima turvalisuse temaatika süsteemi modelleerimisel. Autori pakutud lahendus põhineb BPMN modelleerimiskeele seostamisel turvalisuse riski juhendamise metoodikaga (ISSRM). Antud magistritöös rakendatakse struktureeritud lähenemine BPMN peamiste aspektide analüüsimisel ja turvalisuse riskide juhtimiseks uute elementide väljatöötamisel, selleks ühildades BPMN ning ISSRM-i kontsepte. Magistritöös on demonstreeritud väljatöötatud lisaelementide kasutus, selgitatud kuidas antud elementidega laiendatud BPMN võimaldab väljendada ettevõtte varasid (assets), nendega seotuid riske (risks) ja riskide käsitlust (risk treatment). See on analüüsitud internetkaupluse varade konfidentsiaalsuse, terviklikkuse ja kättesaadavuse näitel. Autor on veendunud, et BPMN laienemine turvalisuse kontseptide osas ja antud töö raames tehtud konkreetsed ettepanekud aitavad infosüsteemide analüütikutele mõistma kuidas süsteemi turvalisust arendada nii, et läbi äriprotsessi tuvastatud olulisemate ettevõtte varade turvalisus oleks infosüsteemis käsitletud ning tagatud. Autori poolt antud käsitlus on vaadeldud ka laiemas mõttes, nimelt, BPMN keelele pakutud laienemisega avaneb perspektiiv äriprotsesside ja turvalisuse mudeleite koosvõimele ning BPMN-i teiste modelleerimise metoodikatega, nagu ISSRM või Secure Tropos, integreerimisele.Modern Information System (IS) development supports different techniques for business process modelling. Recently Business Process Model and Notation (BPMN) has become a standard that allows modelers to visualize organizational business processes. However, despite the fact that BPMN is a good approach to introduce and understand business processes, there is no opportunity to address security concerns while analysing the business needs. This is a problem, since both business processes and security concerns should be understood in parallel to support a development of the secure systems. In current thesis we introduce the extensions for BPMN 2.0 regarding security aspects. The following proposal is based on alignment of the modelling notation with IS security risk management (ISSRM).We apply a structured approach to understand major aspects of BPMN and propose extensions for security risk management based on the BPMN alignment to the ISSRM concepts. We demonstrate the use of extensions, illustrating how the extended BPMN could express assets, risks and risk treatment on few running examples related to the Internet store assets’ confidentiality, integrity and availability. We believe that our proposal would allow system analysts to understand how to develop security requirements to secure important assets defined through business processes. We also attempt to observe the following approach in the broader sense and we open a possibility for the business and security model interoperability and the model transformation between BPMN and another modelling approach also aligned to ISSRM, Secure Tropos

BProVe: Tool support for business process verification

This demo introduces BProVe, a tool supporting automated verification of Business Process models. BProVe analysis is based on a formal operational semantics defined for the BPMN 2.0 modelling language, and is provided as a freely accessible service that uses open standard formats as input data. Furthermore a plug-in for the Eclipse platform has been developed making available a tool chain supporting users in modelling and visualising, in a friendly manner, the results of the verification. Finally we have conducted a validation through more than one thousand models, showing the effectiveness of our verification tool in practice

BProVe: A formal verification framework for business process models

Business Process Modelling has acquired increasing relevance in software development. Available notations, such as BPMN, permit to describe activities of complex organisations. On the one hand, this shortens the communication gap between domain experts and IT specialists. On the other hand, this permits to clarify the characteristics of software systems introduced to provide automatic support for such activities. Nevertheless, the lack of formal semantics hinders the automatic verification of relevant properties. This paper presents a novel verification framework for BPMN 2.0, called BProVe. It is based on an operational semantics, implemented using MAUDE, devised to make the verification general and effective. A complete tool chain, based on the Eclipse modelling environment, allows for rigorous modelling and analysis of Business Processes. The approach has been validated using more than one thousand models available on a publicly accessible repository. Besides showing the performance of BProVe, this validation demonstrates its practical benefits in identifying correctness issues in real models

Extension and Application of Event-driven Process Chain for Information System Security Risk Management

Turvatehnika konstrueerimine on üks suuremaid murekohti süsteemi arenduses ja sellele tuleks tähelepanu pöörata kogu arendusprotsessi jooksul. Turvaliseks modelleerimiseks on mitmeid erinevaid keeli, mis aitavad hallata turvariske juba nõuete staadiumis. Käesolevas töös keskendutakse esmalt Event-driven Process Chain (EPC)-le, mida kasutatakse äriprotsesside modelleerimisel. Täpsemalt öeldes uuritakse, kuidas antud keel toetab infosüsteemi turberiskihaldust (ISSRM). Uurimuse eesmärk on välja selgitada EPC jaoks vajalikud turbenõuded. Nende tulemusena saame vastavustabeli EPC konstruktsioonide ja ISSRM domeeni mudeli kontseptide vahel. Järgnevalt laiendame EPC keelt ja selle konstruktsioone EPC ja ISSRM vastavustabeli seostega. Tekkinud laiendatud keelt kutsume “Security-Oriented EPC”. Laiendatud modelleerimiskeel sisaldab uut konstruktsioonide kogumikku, mis viitab ISSRM kontseptidele. Olles selgitanud turvanõuete olulisust varajases arendusstaadiumis, esitleme töötluse suunised, et viia ellu tõlked Security-Oriented EPC ja Mal-Activity Diagrams (MAD) vahel. Meie ettepanek põhineb EPC keele süstemaatiliste ja maandatud laiendustel ja selle vastastikusest sõltuvusest ISSRM domeeni mudelisse. Vastavuses olevad tulemused aitavad ärianalüütikutel mõista, kuidas modelleerida turvariske süsteemi nõuete ja disainimise staadiumites. Lisaks annavad töötluse tulemused võimaluse koostööks erinevate modelleerimiskeelte vahel, mida analüüsitakse kasutades sama kontseptuaalset raamistikku.Security engineering is one of the important concerns during the system development and it should be addressed throughout the whole system development process. Besides, there are several languages for security modeling that help dealing with security risk management at the requirements stage. In this thesis, first of all, we are focusing on Event-driven Process Chain (EPC), which is used during the business process modeling. More specifically, we investigate how this language supports information system security risk management (ISSRM). The purpose of this investigation is the problem of security requirements need of EPC. As a result, we obtain an alignment table between EPC constructs and ISSRM domain model concepts. Next, we extend the EPC language and its constructs with respect to the alignment table between EPC and ISSRM. As a consequence, we call the extended language as “Security-Oriented EPC”. The extended language contains new set of constructs which refer to ISSRM concepts. Lastly, after clarifying the importance of security requirements at the early system development, we present transformation guidelines to perform forward model translations from Security-Oriented EPC to Mal-Activity Diagrams (MAD). During the transformation, our proposal is based on the systematic and grounded extensions of EPC language and its interdependency to the domain model of ISSRM. Alignment results may help business analysts understand how to model security risks at the system requirement and design stages. Also, transformation results pave the way for interoperability between the modeling languages that are analysed using the same conceptual framework

Formalization and Model Checking of BPMN Collaboration Diagrams with DD-LOTOS

Business Process Model and Notation (BPMN) is a standard graphical notation for modeling complex business processes. Given the importance of business processes, the modeling analysis and validation stage for BPMN is essential. In recent years, BPMN notation has become a widespread practice in business process modeling because of these intuitive diagrams. BPMN diagrams are built from basic elements. The major challenge of BPMN diagrams is the lack of formal semantics, which leads to several interpretations of the concerned diagrams. Hence, this work aims to propose an approach for checking BPMN collaboration diagrams to guarantee some properties of smooth functioning of systems modeled by BPMN notation. The verification approach used in this work is based on model checking techniques. The approach proposes as a first step a formal semantics of the collaboration diagrams in terms of the formal language DD-LOTOS, i.e., a phase of the transformation of collaboration diagrams into DD-LOTOS. This transformation is guided by applying the inference rules of the formal semantics of the DD-LOTOS formal language, and we then use the UPPAAL model checker to check the absence of deadlock, safety properties, and liveness properties