Secure Tropos

securetropos2 Secure Tropos

Funded under various schemes


Software systems become more and more critical in every domain of the human society. Transportation, telecommunications, entertainment, health care, military, education and so on; the list is almost endless. These systems are used not only by major corporations and governments but also across networks of organizations and by individual users. Such wide use has resulted in these systems containing a large amount of critical information and processes which inevitably need to remain secure. Therefore, although it is important to ensure that software systems are developed according to the user needs, it is equally important to ensure that these systems are secure.

However, the common approach towards the inclusion of security within a software system is to identify security requirements after the definition of a system. This typically means that security enforcement mechanisms have to be fitted into a pre-existing design, leading to serious design challenges that usually translate into the emergence of computer systems afflicted with security vulnerabilities. Moreover, security is traditionally approached as a technical issue that requires a technical solution. This treatment of security has led to the development of a number of security mechanisms and protocols that on one hand are successfully used in modern software systems but on the other hand, they have failed to ensure an acceptable degree of security.

Security of software systems has been transformed from a mono-dimensional technical issue to a two-dimensional issue that includes a technical dimension (related to challenges and problems associated to the available technology and the infrastructure of software systems) and a social dimension (which includes issues and problems related to the correct elicitation and analysis of security requirements and the involvement of humans in securing software systems). To effectively consider both dimensions, the research literature argues that it is essential for security to be considered from the early stages and throughout the software development lifecycle and a sound software engineering methodology needs to be developed that supports the simultaneous analysis of both dimensions of security.

Secure Tropos is based on the Tropos methodology, which uses the concepts of actor (entity that has strategic goals and intentionality), goal (an actor’s strategic interest), soft-goal (goal without clear criteria whether it is satisfied or not), task (it represents the way of doing something), resource (it represents a physical or informational entity, without intentionality) and social dependencies (indicate that one actor depends on another in order to attain some goals, execute some tasks, or deliver a resource).

Secure Tropos extends the Tropos methodology by adding security concerns during the development process. In particular, Secure Tropos extends the Tropos language as well as its development process. The language extension consists of redefining existing concepts with security in mind as well as introducing new concepts:

  • A security constraint is defined as a restriction related to security issues, such as privacy, integrity and availability, which can influence the analysis and design of the information system under development by restricting some alternative design solutions, by conflicting with some of the requirements of the system, or by refining some of the system’s objectives.
  • Secure Tropos uses the term secure entity to describe any goals and plans related to the security of the system. A secure goal represents the strategic interests of an actor with respect to security. Secure goals are mainly introduced in order to achieve security constraints that are imposed on an actor or exist in the system. However, a secure goal does not particularly define how the security constraints can be achieved, since alternatives can be considered. The precise definition of how the secure goal can be achieved is given by a secure plan.
  • A secure plan is defined as a plan that represents a particular way for satisfying a secure goal.
  • A secure dependency introduces security constraint(s) that must be fulfilled for the dependency to be satisfied. Both the depender and the dependee must agree for the fulfilment of the security constraint in order for the secure dependency to be valid. That means the depender expects from the dependee to satisfy the security constraint(s) and also that the dependee will make an effort to deliver the dependum by satisfying the security constraint(s).

The process in Secure Tropos is one of analysing the security needs of the stakeholders and the system in terms of security constraints imposed on the stakeholders and the system, identifying secure entities that guarantee the satisfaction of the security constraints, and assigning capabilities to the system to help towards the satisfaction of the secure entities. In particular, as for Tropos, the Secure Tropos methodology covers four main phases:

During the early requirements analysis phase the security reference diagram is constructed and security constraints are imposed on the stakeholders of the system (by other stakeholders). During this stage, imposed security constraints are expressed, initially as high-level statements which are later further analysed. Then secure goals and entities are introduced to the corresponding actors to satisfy the security constraints.

During the late requirements analysis phase, security constraints are imposed on the system to-be (by reference to the security reference diagram). These constraints are further analysed according to the analysis techniques of Secure Tropos and security goals and entities necessary for the system to guarantee the security constraints are identified.

During the architectural design any possible security constraints and secure entities that new actors might introduce are analysed. Additionally, the architectural style of the information system is defined with respect to the system’s security requirements and the requirements are transformed into a design with the aid of security patterns. Furthermore, the agents of the system are identified along with their secure capabilities.

During the detailed design phase, the components identified in the previous development stages are designed with the aid of Agent Unified Modeling Language (AUML). In particular, agent capabilities and interactions taking into account the security aspects are specified with the aid of AUML. The important consideration, from the security point of view, at this stage is to specify the components by taking into account their secure capabilities. This is possible by adopting AUML notation.