The specification and enforcement of authorization constraints in workflow management systems
ACM Transactions on Information and System Security (TISSEC) - Special issue on role-based access control
Protection in operating systems
Communications of the ACM
Studying the language and structure in non-programmers' solutions to programming problems
International Journal of Human-Computer Studies
Inside Java(TM) 2 Platform Security: Architecture, API Design, and Implementation
Inside Java(TM) 2 Platform Security: Architecture, API Design, and Implementation
Providing Fine-grained Access Control for Java Programs
ECOOP '99 Proceedings of the 13th European Conference on Object-Oriented Programming
Access Control: Policies, Models, and Mechanisms
FOSAD '00 Revised versions of lectures given during the IFIP WG 1.7 International School on Foundations of Security Analysis and Design on Foundations of Security Analysis and Design: Tutorial Lectures
Architecture Software Using: A Methodology for Language Development
PLILP '98/ALP '98 Proceedings of the 10th International Symposium on Principles of Declarative Programming
PBDM: a flexible delegation model in RBAC
Proceedings of the eighth ACM symposium on Access control models and technologies
A Resource Access Decision Service for CORBA-Based Distributed Systems
ACSAC '99 Proceedings of the 15th Annual Computer Security Applications Conference
PFIRES: a policy framework for information security
Communications of the ACM - A game experience in every application
Consistency analysis of authorization hook placement in the Linux security modules framework
ACM Transactions on Information and System Security (TISSEC)
Software—Practice & Experience - Grid Security
Information Needs in Collocated Software Development Teams
ICSE '07 Proceedings of the 29th international conference on Software Engineering
Proceedings of the 4th symposium on Usable privacy and security
Research Methods for Human-Computer Interaction
Research Methods for Human-Computer Interaction
Usability challenges in security and privacy policy-authoring interfaces
INTERACT'07 Proceedings of the 11th IFIP TC 13 international conference on Human-computer interaction - Volume Part II
Idea: towards architecture-centric security analysis of software
ESSoS'10 Proceedings of the Second international conference on Engineering Secure Software and Systems
| Hi-index | 0.00 |
Authorization is a key aspect in secure software development of multi-user applications. Authorization is often enforced in the program code with enforcement statements. Since authorization is present in numerous places, defects in the enforcement are difficult to discover. One approach to this challenge is to improve the developer usability with regard to authorization. We analyze how software development is affected by authorization in a real-world case study and particularly focus on the loose-coupling properties of authorization frameworks that separate authorization policy from enforcement. We show that authorization is a significant aspect in software development and that the effort can be reduced through appropriate authorization frameworks. Lastly, we formulate advice on the design of enforcement APIs.