Supporting Agile Development of Authorization Rules for SME Applications

  • Steffen Bartsch
  • Karsten Sohr
  • Carsten Bormann
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 10)


Custom SME applications for collaboration and workflow have become affordable when implemented as Web applications employing Agile methodologies. Security engineering is still difficult with Agile development, though: heavy-weight processes put the improvements of Agile development at risk. We propose Agile security engineering and increased end-user involvement to improve Agile development with respect to authorization policy development. To support the authorization policy development, we introduce a simple and readable authorization rules language implemented in a Ruby on Rails authorization plugin that is employed in a real-world SME collaboration and workflow application. Also, we report on early findings of the language’s use in authorization policy development with domain experts.


Authorization Policy Agile Security Engineering End-User Development DSL SME Applications 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    ISO/IEC 27001:2005. Information technology – Security techniques – Information security management systems – Requirements. ISO, Geneva, SwitzerlandGoogle Scholar
  2. 2.
    ANSI INCITS 359-2004. Role-Based Access Control. American Nat’l Standard for Information Technology (2004)Google Scholar
  3. 3.
    Aydal, E.G., Paige, R.F., Chivers, H., Brooke, P.J.: Security planning and refactoring in extreme programming. In: Abrahamsson, P., Marchesi, M., Succi, G. (eds.) XP 2006. LNCS, vol. 4044, pp. 154–163. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Bertino, E., Ferrari, E., Atluri, V.: The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Inf. Syst. Secur. 2(1), 65–104 (1999)CrossRefGoogle Scholar
  5. 5.
    Chivers, H., Paige, R.F., Ge, X.: Agile security using an incremental security architecture. In: Baumeister, H., Marchesi, M., Holcombe, M. (eds.) XP 2005. LNCS, vol. 3556, pp. 57–65. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Church, L.: End user security: The democratisation of security usability. In: Security and Human Behaviour (2008)Google Scholar
  7. 7.
    Cockburn, A.: Agile Software Development. Addison-Wesley Professional, Reading (2001)MATHGoogle Scholar
  8. 8.
    Dai, J., Alves-Foss, J.: Logic based authorization policy engineering. In: The 6th World Multiconference on Systemics, Cybernetics and Informatics (2002)Google Scholar
  9. 9.
    Ferraiolo, D., Kuhn, R.: Role-based access controls. In: 15th NIST-NCSC National Computer Security Conference, pp. 554–563 (1992)Google Scholar
  10. 10.
    Ge, X., Paige, R.F., Polack, F., Brooke, P.J.: Extreme programming security practices. In: Concas, G., Damiani, E., Scotto, M., Succi, G. (eds.) XP 2007. LNCS, vol. 4536, pp. 226–230. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  11. 11.
    Kongsli, V.: Towards agile security in web applications. In: OOPSLA 2006: Companion to the 21st ACM SIGPLAN symposium on Object-oriented programming systems, languages, and applications, pp. 805–808. ACM, New York (2006)CrossRefGoogle Scholar
  12. 12.
    Lieberman, H.: End user development. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  13. 13.
    McDermott, J., Fox, C.: Using abuse case models for security requirements analysis. In: ACSAC 1999: Proceedings of the 15th Annual Computer Security Applications Conference, Washington, DC, USA, p. 55. IEEE Computer Society, Los Alamitos (1999)Google Scholar
  14. 14.
    Oh, S., Park, S.: Task-role-based access control model. Inf. Syst. 28(6), 533–562 (2003)CrossRefMATHGoogle Scholar
  15. 15.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)CrossRefGoogle Scholar
  16. 16.
    Sun, Y., Meng, X., Liu, S., Pan, P.: Flexible workflow incorporated with RBAC. In: Shen, W.-m., Chao, K.-M., Lin, Z., Barthès, J.-P.A., James, A. (eds.) CSCWD 2005. LNCS, vol. 3865, pp. 525–534. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  17. 17.
    Tappenden, A., Beatty, P., Miller, J.: Agile security testing of web-based systems via httpunit. In: AGILE, pp. 29–38. IEEE Computer Society Press, Los Alamitos (2005)Google Scholar
  18. 18.
    Thomas, R.K., Sandhu, R.S.: Thomas and Ravi S. Sandhu. Task-based authorization controls (TBAC): A family of models for active and enterprise-oriented autorization management. In: Proceedings of the IFIP TC11 WG11.3 Eleventh International Conference on Database Securty XI, London, UK, pp. 166–181. Chapman & Hall, Ltd., Boca Raton (1998)Google Scholar
  19. 19.
    Wainer, J., Barthelmess, P., Kumar, A.: W-RBAC - a workflow security model incorporating controlled overriding of constraints. Int. J. Cooperative Inf. Syst. 12(4), 455–485 (2003)CrossRefGoogle Scholar
  20. 20.
    Zurko, M.E., Simon, R.T.: User-centered security. In: NSPW 1996: Proceedings of the 1996 workshop on New security paradigms, pp. 27–33. ACM, New York (1996)CrossRefGoogle Scholar

Copyright information

© ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering 2009

Authors and Affiliations

  • Steffen Bartsch
    • 1
  • Karsten Sohr
    • 1
  • Carsten Bormann
    • 1
  1. 1.Technologie-Zentrum Informatik TZIUniversität BremenBremenGermany

Personalised recommendations