Custom SME applications for collaboration and workflow have become affordable when implemented as Web applications employing Agile methodologies. Security engineering is still difficult with Agile development, though: heavy-weight processes put the improvements of Agile development at risk. We propose Agile security engineering and increased end-user involvement to improve Agile development with respect to authorization policy development. To support the authorization policy development, we introduce a simple and readable authorization rules language implemented in a Ruby on Rails authorization plugin that is employed in a real-world SME collaboration and workflow application. Also, we report on early findings of the language’s use in authorization policy development with domain experts.


Authorization Policy Agile Security Engineering End-User Development DSL SME Applications 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    ISO/IEC 27001:2005. Information technology – Security techniques – Information security management systems – Requirements. ISO, Geneva, SwitzerlandGoogle Scholar
  2. 2.
    ANSI INCITS 359-2004. Role-Based Access Control. American Nat’l Standard for Information Technology (2004)Google Scholar
  3. 3.
    Aydal, E.G., Paige, R.F., Chivers, H., Brooke, P.J.: Security planning and refactoring in extreme programming. In: Abrahamsson, P., Marchesi, M., Succi, G. (eds.) XP 2006. LNCS, vol. 4044, pp. 154–163. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Bertino, E., Ferrari, E., Atluri, V.: The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Inf. Syst. Secur. 2(1), 65–104 (1999)CrossRefGoogle Scholar
  5. 5.
    Chivers, H., Paige, R.F., Ge, X.: Agile security using an incremental security architecture. In: Baumeister, H., Marchesi, M., Holcombe, M. (eds.) XP 2005. LNCS, vol. 3556, pp. 57–65. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Church, L.: End user security: The democratisation of security usability. In: Security and Human Behaviour (2008)Google Scholar
  7. 7.
    Cockburn, A.: Agile Software Development. Addison-Wesley Professional, Reading (2001)MATHGoogle Scholar
  8. 8.
    Dai, J., Alves-Foss, J.: Logic based authorization policy engineering. In: The 6th World Multiconference on Systemics, Cybernetics and Informatics (2002)Google Scholar
  9. 9.
    Ferraiolo, D., Kuhn, R.: Role-based access controls. In: 15th NIST-NCSC National Computer Security Conference, pp. 554–563 (1992)Google Scholar
  10. 10.
    Ge, X., Paige, R.F., Polack, F., Brooke, P.J.: Extreme programming security practices. In: Concas, G., Damiani, E., Scotto, M., Succi, G. (eds.) XP 2007. LNCS, vol. 4536, pp. 226–230. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  11. 11.
    Kongsli, V.: Towards agile security in web applications. In: OOPSLA 2006: Companion to the 21st ACM SIGPLAN symposium on Object-oriented programming systems, languages, and applications, pp. 805–808. ACM, New York (2006)CrossRefGoogle Scholar
  12. 12.
    Lieberman, H.: End user development. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  13. 13.
    McDermott, J., Fox, C.: Using abuse case models for security requirements analysis. In: ACSAC 1999: Proceedings of the 15th Annual Computer Security Applications Conference, Washington, DC, USA, p. 55. IEEE Computer Society, Los Alamitos (1999)Google Scholar
  14. 14.
    Oh, S., Park, S.: Task-role-based access control model. Inf. Syst. 28(6), 533–562 (2003)CrossRefMATHGoogle Scholar
  15. 15.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)CrossRefGoogle Scholar
  16. 16.
    Sun, Y., Meng, X., Liu, S., Pan, P.: Flexible workflow incorporated with RBAC. In: Shen, W.-m., Chao, K.-M., Lin, Z., Barthès, J.-P.A., James, A. (eds.) CSCWD 2005. LNCS, vol. 3865, pp. 525–534. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  17. 17.
    Tappenden, A., Beatty, P., Miller, J.: Agile security testing of web-based systems via httpunit. In: AGILE, pp. 29–38. IEEE Computer Society Press, Los Alamitos (2005)Google Scholar
  18. 18.
    Thomas, R.K., Sandhu, R.S.: Thomas and Ravi S. Sandhu. Task-based authorization controls (TBAC): A family of models for active and enterprise-oriented autorization management. In: Proceedings of the IFIP TC11 WG11.3 Eleventh International Conference on Database Securty XI, London, UK, pp. 166–181. Chapman & Hall, Ltd., Boca Raton (1998)Google Scholar
  19. 19.
    Wainer, J., Barthelmess, P., Kumar, A.: W-RBAC - a workflow security model incorporating controlled overriding of constraints. Int. J. Cooperative Inf. Syst. 12(4), 455–485 (2003)CrossRefGoogle Scholar
  20. 20.
    Zurko, M.E., Simon, R.T.: User-centered security. In: NSPW 1996: Proceedings of the 1996 workshop on New security paradigms, pp. 27–33. ACM, New York (1996)CrossRefGoogle Scholar

Copyright information

© ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering 2009

Authors and Affiliations

  • Steffen Bartsch
    • 1
  • Karsten Sohr
    • 1
  • Carsten Bormann
    • 1
  1. 1.Technologie-Zentrum Informatik TZIUniversität BremenBremenGermany

Personalised recommendations