Skip to main content
SpringerLink
Log in

Supporting Agile Development of Authorization Rules for SME Applications

  • Conference paper
Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom 2008)

Abstract

Custom SME applications for collaboration and workflow have become affordable when implemented as Web applications employing Agile methodologies. Security engineering is still difficult with Agile development, though: heavy-weight processes put the improvements of Agile development at risk. We propose Agile security engineering and increased end-user involvement to improve Agile development with respect to authorization policy development. To support the authorization policy development, we introduce a simple and readable authorization rules language implemented in a Ruby on Rails authorization plugin that is employed in a real-world SME collaboration and workflow application. Also, we report on early findings of the language’s use in authorization policy development with domain experts.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. ISO/IEC 27001:2005. Information technology – Security techniques – Information security management systems – Requirements. ISO, Geneva, Switzerland

    Google Scholar 

  2. ANSI INCITS 359-2004. Role-Based Access Control. American Nat’l Standard for Information Technology (2004)

    Google Scholar 

  3. Aydal, E.G., Paige, R.F., Chivers, H., Brooke, P.J.: Security planning and refactoring in extreme programming. In: Abrahamsson, P., Marchesi, M., Succi, G. (eds.) XP 2006. LNCS, vol. 4044, pp. 154–163. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  4. Bertino, E., Ferrari, E., Atluri, V.: The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Inf. Syst. Secur. 2(1), 65–104 (1999)

    Article  Google Scholar 

  5. Chivers, H., Paige, R.F., Ge, X.: Agile security using an incremental security architecture. In: Baumeister, H., Marchesi, M., Holcombe, M. (eds.) XP 2005. LNCS, vol. 3556, pp. 57–65. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  6. Church, L.: End user security: The democratisation of security usability. In: Security and Human Behaviour (2008)

    Google Scholar 

  7. Cockburn, A.: Agile Software Development. Addison-Wesley Professional, Reading (2001)

    MATH  Google Scholar 

  8. Dai, J., Alves-Foss, J.: Logic based authorization policy engineering. In: The 6th World Multiconference on Systemics, Cybernetics and Informatics (2002)

    Google Scholar 

  9. Ferraiolo, D., Kuhn, R.: Role-based access controls. In: 15th NIST-NCSC National Computer Security Conference, pp. 554–563 (1992)

    Google Scholar 

  10. Ge, X., Paige, R.F., Polack, F., Brooke, P.J.: Extreme programming security practices. In: Concas, G., Damiani, E., Scotto, M., Succi, G. (eds.) XP 2007. LNCS, vol. 4536, pp. 226–230. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  11. Kongsli, V.: Towards agile security in web applications. In: OOPSLA 2006: Companion to the 21st ACM SIGPLAN symposium on Object-oriented programming systems, languages, and applications, pp. 805–808. ACM, New York (2006)

    Chapter  Google Scholar 

  12. Lieberman, H.: End user development. Springer, Heidelberg (2006)

    Book  Google Scholar 

  13. McDermott, J., Fox, C.: Using abuse case models for security requirements analysis. In: ACSAC 1999: Proceedings of the 15th Annual Computer Security Applications Conference, Washington, DC, USA, p. 55. IEEE Computer Society, Los Alamitos (1999)

    Google Scholar 

  14. Oh, S., Park, S.: Task-role-based access control model. Inf. Syst. 28(6), 533–562 (2003)

    Article  MATH  Google Scholar 

  15. Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)

    Article  Google Scholar 

  16. Sun, Y., Meng, X., Liu, S., Pan, P.: Flexible workflow incorporated with RBAC. In: Shen, W.-m., Chao, K.-M., Lin, Z., Barthès, J.-P.A., James, A. (eds.) CSCWD 2005. LNCS, vol. 3865, pp. 525–534. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  17. Tappenden, A., Beatty, P., Miller, J.: Agile security testing of web-based systems via httpunit. In: AGILE, pp. 29–38. IEEE Computer Society Press, Los Alamitos (2005)

    Google Scholar 

  18. Thomas, R.K., Sandhu, R.S.: Thomas and Ravi S. Sandhu. Task-based authorization controls (TBAC): A family of models for active and enterprise-oriented autorization management. In: Proceedings of the IFIP TC11 WG11.3 Eleventh International Conference on Database Securty XI, London, UK, pp. 166–181. Chapman & Hall, Ltd., Boca Raton (1998)

    Google Scholar 

  19. Wainer, J., Barthelmess, P., Kumar, A.: W-RBAC - a workflow security model incorporating controlled overriding of constraints. Int. J. Cooperative Inf. Syst. 12(4), 455–485 (2003)

    Article  Google Scholar 

  20. Zurko, M.E., Simon, R.T.: User-centered security. In: NSPW 1996: Proceedings of the 1996 workshop on New security paradigms, pp. 27–33. ACM, New York (1996)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Technologie-Zentrum Informatik TZI, Universität Bremen, Bibliothekstr. 1, 28359, Bremen, Germany

    Steffen Bartsch, Karsten Sohr & Carsten Bormann

Authors
  1. Steffen Bartsch
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Karsten Sohr
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Carsten Bormann
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science LWSN 2142G, Purdue University, 656 Oval Drive, IN 47907, West Lafayette, USA

    Elisa Bertino

  2. School of Information Sciences, Department of Information Sciences and Telecommunications, University of Pittsburgh, 135 North Bellefield Avenue, PA 15260, Pittsburgh, USA

    James B. D. Joshi

Rights and permissions

Reprints and permissions

Copyright information

© 2009 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Bartsch, S., Sohr, K., Bormann, C. (2009). Supporting Agile Development of Authorization Rules for SME Applications. In: Bertino, E., Joshi, J.B.D. (eds) Collaborative Computing: Networking, Applications and Worksharing. CollaborateCom 2008. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 10. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03354-4_35

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-03354-4_35

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-03353-7

  • Online ISBN: 978-3-642-03354-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation