Secure Tropos

Keywords: Future Internet, Internet of Things, Security Requirements Engineering

Affiliation: University of Brighton


The Secure Tropos Methodology

Brief Introduction

The Secure Tropos methodology (Mouratidis, 2004) is based on the principle that security should be analysed and considered from the early stages of the software system development process and not added as an afterthought. As such, the methodology provides a modelling language, a security-aware process and a set of algorithms to support the analysis and consideration of security from the early stages of the development process. 

The Secure Tropos language consists of a set of concepts from the requirements engineering domain, and in particular Goal-Oriented Requirements Engineering, such as actor, goal, plan and dependency enriched with concepts from security engineering such as security constraint, security objective and attacks.

The process in Secure Tropos is one of analysing the security needs of the stakeholders and the system in terms of security constraints, imposed on the stakeholders and the system, identifying security objectives that guarantee the satisfaction of these security constraints, and assigning secure plans and resources to the system to help towards the satisfaction of the security objectives.

General Guidelines

Secure Tropos is based on the concept of Security Constraint. In the context of software engineering, a constraint is usually defined as a restriction that can influence the analysis and design of a software system under development by restricting some alternative design solutions, by conflicting with some of the requirements of the system, or by refining some of the system's objectives. In other words, constraints can represent a set of restrictions that do not permit specific actions to be taken or prevent certain objectives from being achieved. Often constraints are integrated in the specification of existing textual descriptions. However, this approach can often lead to misunderstandings and an unclear definition of a constraint and its role in the development process. Consequently, this results in errors in the very early development stages that propagate to the later stages of the development process causing many problems when discovered; if they are discovered. Therefore, in the Secure Tropos modelling language we define security constraints, as a separate concept. To this end, the concept of security constraint has been defined within the context of Secure Tropos as: A security condition imposed to an actor that restricts achievement of an actor's goals, execution of plans or availability of resources. Security constraints are outside the control of an actor. An actor (Bresciani et al., 2004) in Secure Tropos represents an entity that has intentionality and strategic goals within the software system or within its organisational setting. Within a network of actors, which is usually the case in large software systems with multiple stakeholders, one actor might depend on another actor for a goal, a plan or a resource. A goal (Bresciani, et al., 2004) represents a condition in the world that an actor would like to achieve. In other words, goals represent actor's strategic interests. A Security Objectiverepresents an objective that is assigned to an actor and it indicates a course of action that the actor needs to follow to satisfy one or more security constraints. The satisfaction of one or more security constraints by a security objective is defined through a Satisfies relationship. A plan represents, at an abstract level, a way of doing something (Bresciani, et al., 2004). The fulfilment of a plan can be a means for satisfying a goal. As such, different (alternative) plans, that actors might employ to achieve their goals, are modeled enabling software engineers to reason about the different ways that actors can achieve their goals and decide for the best possible way. A Secure Plan represents a plan that supports the satisfaction of a security objective.  A resource (Bresciani, et al., 2004) presents a physical or informational entity that one of the actors requires. The main concern when dealing with resources is whether the resource is available and who is responsible for its delivery. A Secure Resourcerepresents a physical or informational resource that needs to be secured, for example a health care record. To support the analysis and evaluation of the developed security solution, the modeling language supports the modeling of security attacks. An attack is an action that might cause a potential violation of security in the system (this definition has been adopted by Matt Bishop's definition of a computer attack). Within the context of an attack, an attacker represents a malicious actor that has an interest to attack the system. As described above, an actor has intentionality and strategic goals within the system. In the case of an attacker, the intentionality and strategic goals are related to breaking the security of a system and identifying and executing malicious goals. To support the modeling of an actor depending on another actor for a security objective, secure plan and/or secure resource, Secure Tropos introduces the idea of Secure Dependency. A Secure Dependency introduces one or more Security Constraint(s) that must be fulfilled for the dependency to be valid.