Domain-Specific Languages for Model-Driven Security Engineering

Austrian Research Promotion Agency

Security issues in software systems have become a major problem in every day's life, such as software end users, companies, and governments - just to name a few. Current software engineering processes do not emphasize the modeling and design of security properties of software artifacts. Security features are often integrated in an ad-hoc manner and are not planned systematically. Furthermore, security software tests may be skipped due to tight software delivering cycles. Research has repeatedly shown that eliminating errors early in the software development process is far cheaper than fixing security holes at a later stage or in productive systems. However, less effort is put in creating processes which take security concerns from the beginning of software developments into account.

In the ModSec project we build on the concept of Domain-Specific Languages (DSLs) for specifying security requirements in business processes on the modeling-level and automatically transform these models to the system-level. Thereby, emphasizing the integration and test of different security- and process-related DSLs to ensure compliance of model- and system-level implementations.

The proposed approach should allow for a software development cycle considering security aspects in software engineering processes right from the beginning. Thus, research done in the ModSec project will help to minimize the risk of security issues emerging from the development of process-aware information systems. The outcome will be new methods, concepts, and software artifacts in the area of DSL-based Model-Driven Security Engineering (MDSE).