Test-Driven Assessment of Access Control in Legacy Applications
- 1 April 2008
- conference paper
- conference paper
- Published by Institute of Electrical and Electronics Engineers (IEEE) in 2008 International Conference on Software Testing, Verification, and Validation
- p. 238-247
- https://doi.org/10.1109/icst.2008.60
Abstract
If access control policy decision points are not neatly separated from the business logic of a system, the evolution of a security policy likely leads to the necessity of changing the system's code base. This is often the case with legacy systems. We present a test- driven methodology to assess the flexibility of a system, a property that describes the degree of coupling between the access control logic and the business logic of a system. A low flexibility indicates that a modification of the policy will lead to substantial changes of the code. In this paper, we analyze the notion of flexibility which is related to the presence of hidden and implicit security mechanisms in the business logic. We detail how testing can be used for detecting such mechanisms and how it may drive the incremental evolution of a security policy. We use several case studies to illustrate and validate the methodology.Keywords
This publication has 11 references indexed in Scilit:
- Model-Based Tests for Access Control PoliciesPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2008
- Mutation Analysis for Security Tests QualificationPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2007
- High Level Conflict Management Strategies in Advanced Access Control ModelsElectronic Notes in Theoretical Computer Science, 2007
- Inferring Access-Control Policy Properties via Machine LearningPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2006
- Model driven securityACM Transactions on Software Engineering and Methodology, 2006
- From genetic to bacteriological algorithms for mutation-based testingSoftware Testing, Verification and Reliability, 2005
- Proposed NIST standard for role-based access controlACM Transactions on Information and System Security, 2001
- Software engineering for securityPublished by Association for Computing Machinery (ACM) ,2000
- Formal specification for role based access control user/role and role/role relationship managementPublished by Association for Computing Machinery (ACM) ,1998
- Role-based access control modelsComputer, 1996