As the use of information systems is increasing rapidly everyday in finance, military, education, health care, and transportation, the need of security is increasing respectively. The stored information in many cases is sensitive and has to be secured by protecting it from any attack. In other words, there should be cost effective and operationally effective protection from undesirable events [1].
It is already agreed by the industry and research community, that security has to be considered from the early phases of the software development process [2]. Having defined the security requirements along with the functional requirements will enable the better comprehension of the system's security issues and limit the conflicts between the security and functional requirements for more secure information systems [1].
Secure Tropos is a security requirements engineering methodology that considers security throughout the whole development process [1]. The approach identifies, models and analyses the security issues from the early stages of software development within the organization and social settings [2]. But, the fact that it considers security from the early stages of software development, results in a serious increase of the activities in the software development stages and therefore requires the existence of a software tool to support the development process [2]. This paper demonstrates a tool, named SecTro, which assists the security analysts in constructing the relevant Secure Tropos diagrams that are required in order to identify, model and analyze the security issues.
The rest of the paper is structured as follows. Section 2 is a review on Secure Tropos. Section 3 illustrates the tool that supports Secure Tropos. Section 4 discusses the related work while section 5 concludes the paper and presents future work.
Secure Tropos is an extension of Tropos methodology that takes security into account and is based on the concept of security constraint. Also, the Tropos concepts of dependency, goal, task, resource, and capability were also extended with security in mind and formed the secure entities [1,3]. Secure Tropos includes the following modelling activities, the security reference modelling, the security constraint modelling, the secure entities modelling, and the secure capability modelling. In addition, it consists of four stages, the early requirements, the late requirements, the architectural design, and the detailed design stages. The metamodel of Secure Tropos [4] is shown in Fig. 1 and for a more detailed description of Secure Tropos please refer to [1], [3]. 3 The SecTro Tool
SecTro is a standalone application that was built with the Java programming language making it a portable application across different platforms. The package diagram is shown in Fig. 2 and descriptions of the packages are given in Table 1. The class diagram of the classes that are responsible for the drawing functionality of the tool is shown in Fig. 3. In the ElementType class belong all the elements that can be drawn, such as an actor and a hard goal, and in the LinkType class belong all the links between the elements, such as the "plays" link and the "satisfies" link. The class diagram of the graphical user interface (GUI) package is shown in Fig. 4.
SecTro's workspace (Fig. 5) consists of the drawing canvas in the centre, on the top there is a series of tabs for showing the developed diagrams for each stage of Secure Tropos, the project explorer and the properties panel are on the right side, the toolbox (Fig. 6) is on the left side, and the SecTro assistant at the bottom of the workspace. The graphical representations of all the concepts of Secure Tropos by the SecTro tool are shown in Fig. 7 and the graphical representation of the secure dependency is shown in Fig. 8. The main functionalities of the SecTro are to support the developer in the modelling activities of Secure Tropos. Therefore, the tool enables the developer to perform security reference modelling (Fig. 9), security constraint modelling (Fig. 10), secure entities modelling (Fig. 11), and secure capability modelling. During these activities the tool has a mechanism for checking the rules and constraints and informs the developer for any error. Also, the SecTro assistant panel shows more information about the rules and constrains, the concepts and the meta-models. In this way it assists the developer in the learning process of Secure Tropos methodology. Furthermore, the tool enables the developer to export the diagrams as images and in XML format. During the architectural design the architecture of the system is defined. The tool can automatically generate the architecture style and the system decomposition. However, the activities of the architectural design can be a very difficult task for a developer without knowledge of security. Finally, in most cases, during the end of the architectural design the security attack testing takes places, where the design of the system is tested against the security requirements [5]. The tool automatically generates for the developer the security attack scenario template and the security test case template.
Although Secure Tropos is still in research and it is difficult to develop a CASE tool for a methodology that is still in research, the i* modelling framework has been out for some years and a number of related CASE tools were developed to support it. OME [6], OpenOME [7], REDEPEND-REACT [8], TAOM4e [9], GR-Tool [10], T-Tool [9], ST-Tool [11], J-PRiM [12], jUCMNav [13], SNet Tool [14], and DesCARTES [15] are some examples of such tools.
The aforementioned tools, although they were developed for different ultimate purposes, they all provide support for the i* modelling framework, which is the modelling framework that was adopted by Secure Tropos as well. But, Secure Tropos introduces new concepts that none of the previous tools enables their graphical representation, i.e. security constraint, secure goal, secure plan, secure resource, and secure capability. Also, the previous tools don't provide support for the modelling activities that Secure Tropos introduces, i.e. security constraint modelling, secure entities modelling, and secure capability modelling. So, despite the fact that experienced users with Secure Tropos can make conventions and use the previous tools to construct single diagrams; these tools are not adequate to support the Secure Tropos methodology.
The tool supports the developers in the modelling activities of the early and late requirements and architectural design stages of Secure Tropos by assisting them in the construction of the relevant concepts and models that are required during the new modelling activities. Its user-friendly interface makes it easy to use and assists security analysts who are not familiar with the methodology, by providing them with information about the methodology concepts, stages, and metamodels. Also, it enforces rules and constraints and provides valuable feedback on various actions of the developers in an interactive way. The tool has already been used by the students of university of East London to model and analyse security issues of a real industry case study. However, the tool does not support the modelling activities of the detailed design stage and we consider this as future work. In addition, future work includes the extension of the XML Schema in order to validate more models of the methodology.