Secure Tropos

Keywords: Future Internet, Internet of Things, Security Requirements Engineering

Affiliation: University of Brighton

Area of Application

Secure Tropos is a security-aware software systems development methodology, which combines requirements engineering concepts, such asactor, goal, plan together with security engineering concepts such asthreat, security constraint and security mechanism, under a unifiedprocess to support the analysis and development of secure and trustworthysoftware systems.

The original version of the methodology (2003-2013) was based on anadapted version of the i* language and the Tropos methodology development stages. Version 2 of the methodology (2013-) includes a number of enhancements such as a new streamlined security-aware process, a new set of security related concepts that enhance the security analysis, and a new set of techniques that enable automatic analysis of various security aspects of the system under development.

The methodology is supported by the SecTro tool, which supports the development of Secure Tropos models, it provides a set of analysis techniques and it enables the automatic generation of WORD and PDF files.

The SecTro is a comprehensive CASE tool, which supports the second versionof Secure Tropos methodology. It is the second iteration of the dedicated tool which aims to be stable even with very large models, easy to use, provide automation and assistive features and build a solid base forfuture improvements.

1. All views of the same system are combined into single model for clutter-less management

  • Views are automatically synchronised between each other to ease the design process
  • Automatic model integrity checks are performed during modelling activities

2. Easy model sharing and documentation capabilities:

  • Models can be saved to various image formats
  • Models or parts of them can be sent to a printer
  • Recently introduced report generation allows exporting model reports asWord and PDF formats

3. Models can be analysed running several analysis methods (e.g. Security Constraints analysis, Threat mitigation analysis)

4. The Design Pattern Library (DPL) add-on allows capturing meaningful parts of models and reusing them later:

  • Automated design pattern insertion into currently open model/view
  • Design patterns can be chained into meaningful sets
  • Design patterns can be exported and imported as XML file for easysharing
  • Each saved design pattern comes with a graphical representation

5. Models can be exported into XML file:---Default XML export mode (i.e. all data from the model)

  • Transformed to a required XML structure by supplying XSLT file. XSLT files can be saved in the SecTro2 database and reused any time


The Secure Tropos methodology is based on the principle that security should be analysed and considered from the early stages of the software system development process and not added as an afterthought. As such, the methodology provides a modelling language, a security-aware process and a set of algorithms to support the analysis and consideration of security from the early stages of the development process.

The Secure Tropos language consists of a set of concepts from the requirements engineering domain, and in particular Goal-Oriented Requirements, such as actor, goal, plan and dependency enriched with concepts from security engineering such as security constraint, security objective and attacks.

The process in Secure Tropos is one of analyzing the security needs of an organisation by identifying security constraints and modelling relevant security objectives and security mechanisms to satisfy those constraints. In parallel, threat analysis is performed both at organisational and technical level. Relevant security attack scenarios are identified and modelled to support threat analysis.