Modern enterprise systems need to implement and comply to increasingly complex security, compliance, and privacy policies. To address this need, we developed SecureBPMN, a model-driven security approach for process-driven systems.

SecureBPMN: model-driven security for process-driven systems

SecureBPMN is a model-driven security approach for business-process-driven systems. SecureBPMN integrates security and privacy aspects into BPMN. It allows to model, formally analyze SecureBPMN models as well as to generate code and configuration artefacts.

The SecureBPMN Modeling and Verification Environment
The SecureBPMN Modeling and Verification Environment

On the one hand, SecureBPMN provides a domain-specific modeling language that allows to model security aspects (e.g., access control, separation of duty, confidentiality). SecurePBPMN is defined as a meta-model that can easily be integrated into BPMN and, thus, can be used for modeling secure and business processes as well as secure service compositions.

On the other hand, SecureBPMN provides and end-to-end modeling, verification, and validation approach for building systems that comply to complex security, privacy, or compliance requirements. The SecureBPMN tool chain does not only support modeling of secure business process and service compositions: it also supports the formal analysis both on the level of SecureBPMN models as well as refinement properties between the model and the actual implementation.

The SecureBPMN tool chain is free software For more information, please visit the SecureBPMN homepage. The source code is available in our git repository.

Important Publications

1. Salnitri, M., Brucker, A. D., and Giorgini, P. “From Secure Business Process Models to Secure Artifact-Centric SpecificationsEnterprise, business-process and information systems modeling BPMDS (2015): 246–262. doi:10.1007/978-3-319-19237-6_16, URL:

2. Kohler, M., Brucker, A. D., and Schaad, A. “ProActive Caching: Generating Caching Heuristics for Business Process EnvironmentsInternational conference on computational science and engineering (cse) 3, (2009): 207–304. doi:10.1109/CSE.2009.177, URL:

3. Brucker, A. D., Hang, I., Lückemeyer, G., and Ruparel, R. “SecureBPMN: Modeling and Enforcing Access Control Requirements in Business ProcessesConf-sacmat (2012): 123–126. doi:10.1145/2295136.2295160, URL:

4. Brucker, A. D. and Hang, I. “Secure and Compliant Implementation of Business Process-Driven SystemsJoint workshop on security in business processes (sbp) 132, (2012): 662–674. doi:10.1007/978-3-642-36285-9_66, URL:

5. Compagna, L., Guilleminot, P., and Brucker, A. D. “Business Process Compliance via Security Validation as a ServiceIEEE sixth international conference on software testing, verification and validation (icst) (2013): 455–462. doi:10.1109/ICST.2013.63, URL:

6. Brucker, A. D. “Integrating Security Aspects into Business Process Modelsit - Information Technology 55, no. 6 (2013): 239–246. doi:10.1524/itit.2013.2004, URL:

7. Asim, M., Yautsiukhin, A., Brucker, A. D., Baker, T., Shi, Q., and Lempereur, B. “Security Policy Monitoring of BPMN-Based Service CompositionsJournal of Software: Evolution and Process (2018): doi:10.1002/smr.1944, URL:

8. Brucker, A. D., Zhou, B., Malmignati, F., Shi, Q., and Merabti, M. “Modelling, Validating, and Ranking of Secure Service CompositionsSoftware: Practice and Expierence (SPE) 47, no. 12 (2017): 1912–1943. doi:10.1002/spe.2513, URL: