Short Introduction Achim D. Brucker a.brucker@sheffield.ac.uk - - PowerPoint PPT Presentation

Short Introduction

Achim D. Brucker

a.brucker@sheffield.ac.uk http://www.brucker.uk/

Department of Computer Science, The University of Sheffield, Sheffield, UK

Dagstuhl Seminar 16191: “Fresh Approaches to Business Process Modeling”

http://www.dagstuhl.de/16191

08.05.2016 – 13.05.2016

Personal Background

Since 12/2015:

Senior Lecturer at The University of Sheffield, UK Software Assurance (Security, Reliability), Model-driven Engineering, Formal Methods

SAP SE, Germany

Member of the central security team

Security Testing Strategist Security Research Expert/Architect

Work areas:

Ensure that SAP products are build securely Development new security features for SAP products Applied research (security, reliability, . . . ) . . .

PhD (Dr. sc. ETH) from ETH Zurich, Switzerland

S

• f

t w a r e E n g i n e e r i n g I n f

• r

m a t i

• n

S e c u r i t y F

• r

m a l M e t h

• d

s

http://www.brucker.uk/

A.D. Brucker The University of Sheffield Short Introduction 08.02.2015 – 13.08.2015 2

Model-driven Security for Business Process-driven Systems

Contributions to the Seminar

Security aware process-driven systems Modelling Implementation Operation Technology

A.D. Brucker The University of Sheffield Short Introduction 08.02.2015 – 13.08.2015 3

Model-driven Security for Business Process-driven Systems

Contributions to the Seminar

Security aware process-driven systems Modelling

Extending BPPMN with security and compliance aspects

SecureBPMN (BPMN 1.x, access control and compliance) SecBPMN (BPMN 2.0, broad security scope, rather abstract)

Formal analysis of security annotated BPMN models

Dolve-Yao-style attacker model SAT-based model-checker (SATMC)

Implementation Operation Technology

A.D. Brucker The University of Sheffield Short Introduction 08.02.2015 – 13.08.2015 3

Model-driven Security for Business Process-driven Systems

Contributions to the Seminar

Security aware process-driven systems Modelling Implementation

BPMN execution engines

Generic extension with security hooks

Semi-manual implementation

Security-aware BPMN execution engines Generation of code including security enforcement Static source code analysis (based on secure BPMN spec.)

• f manual implementation and configurations

Generation of security configurations

XACML policies Log/audit configurations

Operation Technology

A.D. Brucker The University of Sheffield Short Introduction 08.02.2015 – 13.08.2015 3

Model-driven Security for Business Process-driven Systems

Contributions to the Seminar

Security aware process-driven systems Modelling Implementation Operation

Identify/user management

Consistency check of federated user management

Enforcement

XACML policies

Monitoring

Runtime monitoring using ConSpec

Technology

A.D. Brucker The University of Sheffield Short Introduction 08.02.2015 – 13.08.2015 3

Model-driven Security for Business Process-driven Systems

Contributions to the Seminar

Security aware process-driven systems Modelling Implementation Operation Technology

BPMN-based systems:

Activiti BPMN SAP Netweaver BPMN jBPMN (JBoss/RedHat)

Artifact-based/Transaction-based systems

SAP Business Suite (ABAP) SAP HANA (RDL)

A.D. Brucker The University of Sheffield Short Introduction 08.02.2015 – 13.08.2015 3

Thank you for your attention!

Any questions or remarks?

Contact:

• Dr. Achim D. Brucker

Department of Computer Science University of Sheffield Regent Court 211 Portobello St. Sheffield S1 4DP UK Phone: +44 114 22 21806 https://de.linkedin.com/in/adbrucker https://www.brucker.uk https://www.logicalhacking.com a.brucker@sheffield.ac.uk