Compliance Validation of Secure Service Compositions

  • Achim D. Brucker
  • Luca Compagna
  • Pierre Guilleminot
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8900)


The Aniketos Secure Composition Framework supports the specification of secure and trustworthy composition plans in term of BPMN. The diversity of security and trust properties that is supported by the Aniketos framework allows, on the one hand, for expressing a large number of security and compliance requirements. On the other hand, the resulting expressiveness results in the risk that high-level compliance requirements (e.g., separation of duty) are not implemented by low-level security means (e.g., role-based access control configurations).

In this chapter, we present the Composition Security Validation Module (CSVM). The CSVM provides a service for checking the compliance of secure and trustworthy composition plans to the service designer. As proof-of-concept we created a prototype in which the CSVM module is deployed on the SAP NetWeaver Cloud and two CSVM Connectors are built supporting two well-known BPMN tools: SAP NetWeaver BPM and Activiti Designer.


Validation Security BPMN SecureBPMN Compliance 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    van der Aalst, W.M.P., Dumas, M., Gottschalk, F., ter Hofstede, A.H.M., La Rosa, M., Mendling, J.: Correctness-preserving configuration of business process models. In: Fiadeiro, J.L., Inverardi, P. (eds.) FASE 2008. LNCS, vol. 4961, pp. 46–61. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  2. 2.
    Armando, A., Carbone, R., Compagna, L.: LTL Model Checking for Security Protocols. Journal of Applied Non-Classical Logics 19(4), 403–429 (2009)CrossRefzbMATHMathSciNetGoogle Scholar
  3. 3.
    Arsac, W., Compagna, L., Kaluvuri, S.P., Ponta, S.E.: Security validation tool for business processes. In: Breu, R., Crampton, J., Lobo, J. (eds.) SACMAT, pp. 143–144. ACM (2011a)Google Scholar
  4. 4.
    Arsac, W., Compagna, L., Pellegrino, G., Ponta, S.E.: Security Validation of Business Processes via Model-Checking. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 29–42. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  5. 5.
    Brucker, A.D., Hang, I.: Secure and compliant implementation of business process-driven systems. In: La Rosa, M., Soffer, P. (eds.) PM 2012 Workshops. LNBIP, vol. 132, pp. 662–674. Springer, Heidelberg (2012)Google Scholar
  6. 6.
    Brucker, A.D., Hang, I., Lückemeyer, G., Ruparel, R.: SecureBPMN: Modeling and enforcing access control requirements in business processes. In: ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 123–126. ACM Press (2012), doi: 10.1145/2295136.2295160Google Scholar
  7. 7.
    Brucker, A.D., Malmignati, F., Merabti, M., Shi, Q., Zhou, B.: A framework for secure service composition. In: International Conference on Information Privacy, Security, Risk and Trust (PASSAT), pp. 647–652. IEEE Computer Society (2013), doi:10.1109/SocialCom.2013.97Google Scholar
  8. 8.
    Compagna, L., Guilleminot, P., Brucker, A.D.: Business process compliance via security validation as a service. In: Oriol, M., Penix, J. (eds.) IEEE Sixth International Conference on Software Testing, Verification and Validation (ICST), pp. 455–462. IEEE Computer Society (2013) doi: 978-1-4673-5961-0Google Scholar
  9. 9.
    Dijkman, R.M., Dumas, M., Ouyang, C.: Semantics and analysis of business process models in BPMN. Information & Software Technology 50(12), 1281–1294 (2008), doi:10.1016/j.infsof.2008.02.006CrossRefGoogle Scholar
  10. 10.
    Mülle, J., von Stackelberg, S., Böhm, K.: A security language for BPMN process models. Tech. rep., University Karlsruhe, KIT (2011)Google Scholar
  11. 11.
    OMG: Business Process Modeling Notation, BPMN (2011),
  12. 12.
    Rodríguez, A., Fernández-Medina, E., Piattini, M.: A BPMN extension for the modeling of security requirements in business processes. IEICE - Trans. Inf. Syst. E90-D, 745–752 (2007), doi:10.1093/ietisy/e90-d.4.745Google Scholar
  13. 13.
    Salnitri, M., Dalpiaz, F., Giorgini, P.: Modeling and verifying security policies in business processes. In: Bider, I., Gaaloul, K., Krogstie, J., Nurcan, S., Proper, H.A., Schmidt, R., Soffer, P. (eds.) BPMDS 2014 and EMMSAD 2014. LNBIP, vol. 175, pp. 200–214. Springer, Heidelberg (2014)Google Scholar
  14. 14.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29(2), 38–47 (1996)CrossRefGoogle Scholar
  15. 15.
    Wolter, C., Meinel, C.: An approach to capture authorisation requirements in business processes. Requir. Eng. 15(4), 359–373 (2010), doi:10.1007/s00766-010-0103-yCrossRefGoogle Scholar
  16. 16.
    Wolter, C., Schaad, A.: Modeling of task-based authorization constraints in BPMN. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 64–79. Springer, Heidelberg (2007)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Achim D. Brucker
    • 1
  • Luca Compagna
    • 2
  • Pierre Guilleminot
    • 2
  1. 1.SAP SEKarlsruheGermany
  2. 2.SAP SESophia-AntipolisFrance

Personalised recommendations