Towards a Methodological Tool Support for Modeling Security-Oriented Processes

  • Jacob GeiselEmail author
  • Brahim Hamid
  • David Gonzales
  • Jean-Michel Bruel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9893)


Development processes for software construction are common knowledge and widely used in most development organizations. Unfortunately, these processes often offer only little or no support in order to meet security requirements. In our work, we propose a methodology to build domain specific process models with security concepts on the foundations of industry-relevant security approaches, backed by a security-oriented process model specification language. Instead of building domain specific security-oriented process models from the ground, the methodology allows process designers to fall back on existing well established security approaches and add domain relevant concepts and repository-centric approaches, as well as supplementary information security risk management standards (e.g., Common Criteria), to fulfill the demand for secure software engineering. Supplementary and/or domain specific concepts can be added trough our process modeling language in an easy and direct way. The methodology and the process modeling language we propose have been successfully evaluated by the TERESA project for specifying development processes for trusted applications and integrating security concepts into existing process models used in the railway domain.


Process modeling Secure software engineering Model-Driven Engineering MDE toolchain Repository Reuse 


  1. 1.
    Common Criteria: common criteria for information technology security evaluation v3.1r4. Technical report CCMB-2012-09-001/002/003, Common Criteria (2012)Google Scholar
  2. 2.
    Die Beauftragte der Bundesregierung für Informationstechnik. V-modell XT (2005)Google Scholar
  3. 3.
    Forsberg, K., Mooz, H., Cotterman, H.: Visualizing Project Management. A Model for Business and Technical Success, 2nd edn. Wiley, New york (2000)Google Scholar
  4. 4.
    Geisel, J., Hamid, B., Bruel, J.-M.: Repository-centric process modeling – example of a pattern based development process. In: Lee, L. (ed.) Software Engineering Research, Management and Applications. Studies in Computational Intelligence, vol. 496, pp. 247–261. Springer, Switzerland (2014)CrossRefGoogle Scholar
  5. 5.
    Gonzalez-Perez, C., Henderson-Sellers, B.: Modelling software development methodologies: a conceptual foundation. J. Syst. Softw. 80(11), 1778–1796 (2007)CrossRefGoogle Scholar
  6. 6.
    Hamid, B., Geisel, J., Ziani, A., Gonzalez, D.: Safety lifecycle development process modeling for embedded systems - example of railway domain. In: Avgeriou, P. (ed.) SERENE 2012. LNCS, vol. 7527, pp. 63–75. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  7. 7.
    Hug, C., Front, A., Rieu, D., Henderson-Sellers, B.: A method to build information systems engineering process metamodels. J. Syst. Softw. 82(10), 1730–1742 (2009)CrossRefGoogle Scholar
  8. 8.
    Kruchten, P.: The Rational Unified Process: An Introduction, 3rd edn. Addison-Wesley Longman Publishing Co., Inc., Boston (2003)Google Scholar
  9. 9.
    McGraw, G.: Software Security: Building Security, 3rd edn. Addison-Wesley Professional, Boston (2006)Google Scholar
  10. 10.
    Microsoft: Microsoft Security Development Lifecycle (SDL) process guidance - version 5.2 (2012)Google Scholar
  11. 11.
    OBEO: Acceleo (2014).
  12. 12.
    OMG: Software and systems process engineering metamodel specification (SPEM) version 2.0. Technical report, Object Management Group Inc. (2008)Google Scholar
  13. 13.
    OWASP: OWASP CLASP V1.2. OWASP, November 2007Google Scholar
  14. 14.
    Selic, B.: The pragmatics of model-driven development. IEEE Softw. 20(5), 19–25 (2003)CrossRefGoogle Scholar
  15. 15.
    SEMCO: System and software engineering for embedded systems applications with multi-concerns support (2010)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Jacob Geisel
    • 1
    Email author
  • Brahim Hamid
    • 1
  • David Gonzales
    • 2
  • Jean-Michel Bruel
    • 1
  1. 1.IRIT, University of ToulouseToulouseFrance
  2. 2.IkerlanMandragonSpain

Personalised recommendations