11- SecBPMN Tutorialhosting.unitn.it/salnitri/teaching/OIS2017/11-SecBPMN_Tutorial.pdf ·...

23
SecBPMN 2.0 Tutorial OIS 2017 Marco Robol [email protected] 1

Transcript of 11- SecBPMN Tutorialhosting.unitn.it/salnitri/teaching/OIS2017/11-SecBPMN_Tutorial.pdf ·...

Page 1: 11- SecBPMN Tutorialhosting.unitn.it/salnitri/teaching/OIS2017/11-SecBPMN_Tutorial.pdf · marco.robol@unitn.it. Title: 11- SecBPMN Tutorial Created Date: 4/21/2017 7:57:54 AM ...

SecBPMN 2.0Tutorial

OIS 2017

Marco Robol

[email protected]

1

Page 2: 11- SecBPMN Tutorialhosting.unitn.it/salnitri/teaching/OIS2017/11-SecBPMN_Tutorial.pdf · marco.robol@unitn.it. Title: 11- SecBPMN Tutorial Created Date: 4/21/2017 7:57:54 AM ...

STS-tool

� Install STS-tool http://www.sts-tool.eu/

� Install the SecBPMN2 plugin directly from the marketplace that comes within STS-tool

2

Page 3: 11- SecBPMN Tutorialhosting.unitn.it/salnitri/teaching/OIS2017/11-SecBPMN_Tutorial.pdf · marco.robol@unitn.it. Title: 11- SecBPMN Tutorial Created Date: 4/21/2017 7:57:54 AM ...

SecBPMN2 tool interface

3

Page 4: 11- SecBPMN Tutorialhosting.unitn.it/salnitri/teaching/OIS2017/11-SecBPMN_Tutorial.pdf · marco.robol@unitn.it. Title: 11- SecBPMN Tutorial Created Date: 4/21/2017 7:57:54 AM ...

AirportTutorial

4

Page 5: 11- SecBPMN Tutorialhosting.unitn.it/salnitri/teaching/OIS2017/11-SecBPMN_Tutorial.pdf · marco.robol@unitn.it. Title: 11- SecBPMN Tutorial Created Date: 4/21/2017 7:57:54 AM ...

Create a new STS Project1. Create a new “STS Project”2. Create a new “STS Diagram” (add at least one actor)3. Create a new “Business Process Diagram” linked to that actor. (differently

the tool does not allow to perform security analysis)4. To add diagrams use the button “Add New Collaboration Diagram”

5

1

2

3

4

Page 6: 11- SecBPMN Tutorialhosting.unitn.it/salnitri/teaching/OIS2017/11-SecBPMN_Tutorial.pdf · marco.robol@unitn.it. Title: 11- SecBPMN Tutorial Created Date: 4/21/2017 7:57:54 AM ...

List of processes

1. Flight plan transmission

2. Co-pilot Reads flight plan3. Passenger cabin prepared4. Take-off request5. Generic runway request6. Specific runway request

6

Page 7: 11- SecBPMN Tutorialhosting.unitn.it/salnitri/teaching/OIS2017/11-SecBPMN_Tutorial.pdf · marco.robol@unitn.it. Title: 11- SecBPMN Tutorial Created Date: 4/21/2017 7:57:54 AM ...

Process: Flight plan transmission

7

Page 8: 11- SecBPMN Tutorialhosting.unitn.it/salnitri/teaching/OIS2017/11-SecBPMN_Tutorial.pdf · marco.robol@unitn.it. Title: 11- SecBPMN Tutorial Created Date: 4/21/2017 7:57:54 AM ...

Process: Co-pilot reads flight plan

8

Page 9: 11- SecBPMN Tutorialhosting.unitn.it/salnitri/teaching/OIS2017/11-SecBPMN_Tutorial.pdf · marco.robol@unitn.it. Title: 11- SecBPMN Tutorial Created Date: 4/21/2017 7:57:54 AM ...

Process: Prepare passenger cabin

9

Page 10: 11- SecBPMN Tutorialhosting.unitn.it/salnitri/teaching/OIS2017/11-SecBPMN_Tutorial.pdf · marco.robol@unitn.it. Title: 11- SecBPMN Tutorial Created Date: 4/21/2017 7:57:54 AM ...

Process: Request take-off

10

Page 11: 11- SecBPMN Tutorialhosting.unitn.it/salnitri/teaching/OIS2017/11-SecBPMN_Tutorial.pdf · marco.robol@unitn.it. Title: 11- SecBPMN Tutorial Created Date: 4/21/2017 7:57:54 AM ...

Process: Generic runway request

11

Page 12: 11- SecBPMN Tutorialhosting.unitn.it/salnitri/teaching/OIS2017/11-SecBPMN_Tutorial.pdf · marco.robol@unitn.it. Title: 11- SecBPMN Tutorial Created Date: 4/21/2017 7:57:54 AM ...

Process: Specific runway request

12

Page 13: 11- SecBPMN Tutorialhosting.unitn.it/salnitri/teaching/OIS2017/11-SecBPMN_Tutorial.pdf · marco.robol@unitn.it. Title: 11- SecBPMN Tutorial Created Date: 4/21/2017 7:57:54 AM ...

Policies

�Let’s now define some SecBPMN2-Q policies.

�Create a new «Security Policy Diagram» for eachSecBPMN2-Q policy.

13

Page 14: 11- SecBPMN Tutorialhosting.unitn.it/salnitri/teaching/OIS2017/11-SecBPMN_Tutorial.pdf · marco.robol@unitn.it. Title: 11- SecBPMN Tutorial Created Date: 4/21/2017 7:57:54 AM ...

Policy: Non-Disclosure

14

Page 15: 11- SecBPMN Tutorialhosting.unitn.it/salnitri/teaching/OIS2017/11-SecBPMN_Tutorial.pdf · marco.robol@unitn.it. Title: 11- SecBPMN Tutorial Created Date: 4/21/2017 7:57:54 AM ...

Policy: Confidentiality

15

Page 16: 11- SecBPMN Tutorialhosting.unitn.it/salnitri/teaching/OIS2017/11-SecBPMN_Tutorial.pdf · marco.robol@unitn.it. Title: 11- SecBPMN Tutorial Created Date: 4/21/2017 7:57:54 AM ...

Policy: Integrity

16

Page 17: 11- SecBPMN Tutorialhosting.unitn.it/salnitri/teaching/OIS2017/11-SecBPMN_Tutorial.pdf · marco.robol@unitn.it. Title: 11- SecBPMN Tutorial Created Date: 4/21/2017 7:57:54 AM ...

Analysis

�Execute «Security Enforcement Analysis» to verify the compliance of the processes to the policies.

�The pattern/antipattern is checked toward each process.

17

Page 18: 11- SecBPMN Tutorialhosting.unitn.it/salnitri/teaching/OIS2017/11-SecBPMN_Tutorial.pdf · marco.robol@unitn.it. Title: 11- SecBPMN Tutorial Created Date: 4/21/2017 7:57:54 AM ...

Analysis results

�Which policies are verified?�Which ones are not?�What is missing in the process?�…Let’s add missed security annotations

18

Page 19: 11- SecBPMN Tutorialhosting.unitn.it/salnitri/teaching/OIS2017/11-SecBPMN_Tutorial.pdf · marco.robol@unitn.it. Title: 11- SecBPMN Tutorial Created Date: 4/21/2017 7:57:54 AM ...

Process: Flight plan transmission

19

Page 20: 11- SecBPMN Tutorialhosting.unitn.it/salnitri/teaching/OIS2017/11-SecBPMN_Tutorial.pdf · marco.robol@unitn.it. Title: 11- SecBPMN Tutorial Created Date: 4/21/2017 7:57:54 AM ...

To Do

1. Add the missing security annotations� See “Integrity”

2. Modify the process in order to be not compliant with the policy “non-disclosure”

20

Page 21: 11- SecBPMN Tutorialhosting.unitn.it/salnitri/teaching/OIS2017/11-SecBPMN_Tutorial.pdf · marco.robol@unitn.it. Title: 11- SecBPMN Tutorial Created Date: 4/21/2017 7:57:54 AM ...

To do

1. Create a pattern and an anti-pattern policy considering two tasks in a walk. Then create other two policies considering two tasks in a flow.� How are they matched toward elements in the process?

� Try the @ keyword

2. Create a pattern and an anti-pattern policy considering two tasks in a negative walk. Then create other two policies considering two tasksin a negative flow.� How are the negative walks and flows matched in the processes?

3. Define a pattern and an antipattern policy for a walk/flow of tasksacross a gateway (Filter runways and Book runway»)� Are they verified in the process?

21

Page 22: 11- SecBPMN Tutorialhosting.unitn.it/salnitri/teaching/OIS2017/11-SecBPMN_Tutorial.pdf · marco.robol@unitn.it. Title: 11- SecBPMN Tutorial Created Date: 4/21/2017 7:57:54 AM ...

To Do

4. Create a pattern and an antipattern policy considering the task «Filter runways» and the data objects «List of runways» and «Filtered list of runways»� How are they verified in the process?

5. Create a pattern and an antipattern policy considering two task in a walk, one referring to a task in the process associated to a «call activity».� Is the task in the linked process matched?

6. Add the availability requirement to the document “List of runways». Create a policy that verify that documents used by the task «Filter runways» are available.

22

Page 23: 11- SecBPMN Tutorialhosting.unitn.it/salnitri/teaching/OIS2017/11-SecBPMN_Tutorial.pdf · marco.robol@unitn.it. Title: 11- SecBPMN Tutorial Created Date: 4/21/2017 7:57:54 AM ...

23

Thank [email protected]