INTEGRATING AND AUTOMATING SECURITY ENGINEERING IN UML

摘要

Software Engineering techniques have been developed to tackle the increasing complexity of the new software applications but security technology is still erroneously considered as supplementary. Security engineering techniques are not integrated within software engineering processes but added once software is finally (or almost) deployed. Security Engineering is usually based on formal and highly theoretic methods and not tightly related with the software being deployed. This has very negative consequences in the security of the software systems being deployed. On the other hand, software engineering tools are mostly based on graphical notations with no precise semantics and no support for security-related requirements and properties. This paper presents partial results of the CASENET European Union IST project. The overall objective of our work has been to define and implement a tool-supported integrated framework and methodology that allow the accurate development of a business model driven architecture for security-critical systems and applications, such as e-commerce and e-government. The ultimate objective has been the automatic generation of executable systems with fully configured security infrastructures from the business process model.