Supporting Agile Development of Authorization Rules for SME Applications

Custom SME applications for collaboration and workflow have become affordable when implemented as Web applications employing Agile methodologies. Security engineering is still difficult with Agile development, though: heavy-weight processes put the improvements of Agile development at risk. We propose Agile security engineering and increased end-user involvement to improve Agile development with respect to authorization policy development. To support the authorization policy development, we introduce a simple and readable authorization rules language implemented in a Ruby on Rails authorization plugin that is employed in a real-world SME collaboration and workflow application. Also, we report on early findings of the language’s use in authorization policy development with domain experts.

[1]  Jie Dai,et al.  Logic Based Authorization Policy Engineering , 2002 .

[2]  Shijun Liu,et al.  Flexible Workflow Incorporated with RBAC , 2005, CSCWD.

[3]  Richard F. Paige,et al.  Security Planning and Refactoring in Extreme Programming , 2006, XP.

[4]  Alberto Sillitti Agile Processes in Software Engineering and Extreme Programming, 11th International Conference, XP 2010, Trondheim, Norway, June 1-4, 2010. Proceedings , 2010, XP.

[5]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[6]  Michele Marchesi,et al.  Extreme Programming and Agile Processes in Software Engineering , 2003, Lecture Notes in Computer Science.

[7]  Richard F. Paige,et al.  Extreme Programming Security Practices , 2007, XP.

[8]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[9]  Mary Ellen Zurko,et al.  User-centered security , 1996, NSPW '96.

[10]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[11]  JaatunMartin Gilje,et al.  Agile Software Development , 2002, Comput. Sci. Educ..

[12]  Seog Park,et al.  Task-role-based access control model , 2003, Inf. Syst..

[13]  Weiming Shen,et al.  Computer Supported Cooperative Work in Design II , 2005, Lecture Notes in Computer Science.

[14]  Richard F. Paige,et al.  Agile Security Using an Incremental Security Architecture , 2005, XP.

[15]  D. Richard Kuhn,et al.  Role-Based Access Controls , 2009, ArXiv.

[16]  James Miller,et al.  Agile security testing of Web-based systems via HTTPUnit , 2005, Agile Development Conference (ADC'05).

[17]  Akhil Kumar,et al.  W-RBAC - A Workflow Security Model Incorporating Controlled Overriding of Constraints , 2003, Int. J. Cooperative Inf. Syst..

[18]  Ravi S. Sandhu,et al.  Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management , 1997, DBSec.

[19]  Vidar Kongsli Towards agile security in web applications , 2006, OOPSLA '06.

[20]  Elisa Bertino,et al.  The specification and enforcement of authorization constraints in workflow management systems , 1999, TSEC.