Workflow & Services

The deliverable
In the deliverable document "State of the art in Workflow & Services", four fields of studies have been identified : workflow modelling, formal requirements specification, security requirements engineering and workflow security tools.

Key findings :

Workflow modelling
Activities within an organisation, as well as inter-organisational activities are most commonly modelled as workflows. Workflows describe organisational activities in a rather high level of abstraction, which may be an enabler to describe constraints related to security and dependability aspects. Whether we describe security and dependability requirements or any other functional or non-functional requirements, the workflow modelling language is considered as the most critical component.
Emerging industry standards in workflow modelling, such as the BPEL language, are strongly supported by the main software vendors and are focusing on the integration of web services with business processes or workflows. Thus, two trends that should be taken into account, as they have significant implications for security, are the integration of workflows with web services and the emergence of BPEL as the new workflow modelling industry standard.

Formal requirements specification
Formal methods, though supported by systems engineering research, have been confronted by systems developers with hesitation and distrust. Formal methods are in fact still perceived as too cumbersome and complicated to be generally applied, and are relegated to the most critical sections of software development and software systems. However, current work on formal methods focuses on improving their usability and the integration of formal languages in comprehensive system development tools. Such tools provide a graphical interface for system analysis and design, whilst encapsulating and hiding the formal part of requirements specification.
As far as security and dependability are concerned, without a formal specification of the system, there is no possibility of determining any level of confidence in the correctness of an implementation of a complex system. Therefore, the adoption of a formal approach is strongly recommended, although semi-formal approaches could be followed, as well.

Security requirements engineering
Integrating the security aspect in the systems engineering process has been a challenging target for at least the last decade and several proposals have been made by the research community in this direction. These are, mainly, focused on the security extension of current systems analysis and design methods, e.g. UMLsec, SSE-CMM, etc. None of them, however, has been yet adopted by systems engineers and the systems development industry. The new trend currently emerging is the use of pattern technology in security engineering. Although there are still many obstacles that hinder the wide adoption of security patterns (e.g. the lack of a standard structure), they are considered a promising solution as they are flexible, adaptable and relate to the system engineer culture.

Workflow security tools
One of the objectives of Activity Workflow & Services is to develop a tool for the analysis, design and verification of security patterns for workflows. Currently, there is no tool that provides this kind of functionality. There are several tools that compile and verify formal models to code and other tools that compile and verify workflow models, but none of those addresses the security issues in workflows. Nevertheless, we have identified some of the desired properties that such a tool should possess. The provision of a graphical interface for security analysis and design, the use of formal verification methods, the ability to handle complex workflows, and vendor independence are some of the most significant desired properties.