Software requirements: objects, functions, and states
Software requirements: objects, functions, and states
Goal-directed requirements acquisition
6IWSSD Selected Papers of the Sixth International Workshop on Software Specification and Design
Inquiry-Based Requirements Analysis
IEEE Software
Role-Based Access Control Models
Computer
Determining role rights from use cases
RBAC '97 Proceedings of the second ACM workshop on Role-based access control
Requirements for access control: US Healthcare domain
RBAC '98 Proceedings of the third ACM workshop on Role-based access control
A lattice model of secure information flow
Communications of the ACM
Protection in operating systems
Communications of the ACM
The role-based access control system of a European bank: a case study and discussion
SACMAT '01 Proceedings of the sixth ACM symposium on Access control models and technologies
Flexible support for multiple access control policies
ACM Transactions on Database Systems (TODS)
Alloy: a lightweight object modelling notation
ACM Transactions on Software Engineering and Methodology (TOSEM)
A scenario-driven role engineering process for functional RBAC roles
SACMAT '02 Proceedings of the seventh ACM symposium on Access control models and technologies
Cryptography and data security
Cryptography and data security
Security in Computing
Access Control: Policies, Models, and Mechanisms
FOSAD '00 Revised versions of lectures given during the IFIP WG 1.7 International School on Foundations of Security Analysis and Design on Foundations of Security Analysis and Design: Tutorial Lectures
Role-Based Access Control
A Logical Language for Expressing Authorizations
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
SMaRT—Scenario Management and Requirements Tool
RE '03 Proceedings of the 11th IEEE International Conference on Requirements Engineering
Security and Privacy Requirements Analysis within a Social Setting
RE '03 Proceedings of the 11th IEEE International Conference on Requirements Engineering
Specifying access control policies for XML documents with XPath
Proceedings of the ninth ACM symposium on Access control models and technologies
Elaborating Security Requirements by Construction of Intentional Anti-Models
Proceedings of the 26th International Conference on Software Engineering
Requirements-based access control analysis and policy specification
Requirements-based access control analysis and policy specification
Provisions and obligations in policy management and security applications
VLDB '02 Proceedings of the 28th international conference on Very Large Data Bases
Analyzing Regulatory Rules for Privacy and Security Requirements
IEEE Transactions on Software Engineering
Addressing privacy requirements in system design: the PriS method
Requirements Engineering
Semantic parameterization: A process for modeling domain descriptions
ACM Transactions on Software Engineering and Methodology (TOSEM)
Misuse Cases: Use Cases with Hostile Intent
IEEE Software
Financial Privacy Policies and the Need for Standardization
IEEE Security and Privacy
A conceptual meta-model for secured information systems
Proceedings of the 7th International Workshop on Software Engineering for Secure Systems
A dynamic access control model
Applied Intelligence
Deriving implementation-level policies for usage control enforcement
Proceedings of the second ACM conference on Data and Application Security and Privacy
Automated extraction of security policies from natural-language software documents
Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering
Implementing database access control policy from unconstrained natural language text
Proceedings of the 2013 International Conference on Software Engineering
| Hi-index | 0.00 |
Access control (AC) is a mechanism for achieving confidentiality and integrity in software systems. Access control policies (ACPs) express rules concerning who can access what information, and under what conditions. ACP specification is not an explicit part of the software development process and is often isolated from requirements analysis activities, leaving systems vulnerable to security breaches because policies are specified without ensuring compliance with system requirements. In this paper, we present the Requirements-based Access Control Analysis and Policy Specification (ReCAPS) method for deriving and specifying ACPs, and discuss three validation efforts. The method integrates policy specification into the software development process, ensures consistency across software artifacts, and provides prescriptive guidance for how to specify ACPs. It also improves the quality of requirements specifications and system designs by clarifying ambiguities and resolving conflicts across these artifacts during the analysis, making a significant step towards ensuring that policies are enforced in a manner consistent with a system's requirements specifications. To date, the method has been applied within the context of four operational systems. Additionally, we have conducted an empirical study to evaluate its usefulness and effectiveness. A software tool, the Security and Privacy Requirements Analysis Tool (SPRAT), was developed to support ReCAPS analysis activities.