«

»

Test-Driven Assessment of Access Control in Legacy Applications

by Yves Le Traon, Tejeddine Mouelhi, Alexander Pretschner, Benoit Baudry
Abstract:
If access control policy decision points are not neatly separated from the business logic of a system, the evolution of a security policy likely leads to the necessity of changing the system’s code base. This is often the case with legacy systems. We present a test-driven methodology to assess the flexibility of a system, a property that describes the degree of coupling between the access control logic and the business logic of a system. A low flexibility indicates that a modification of the policy will lead to substantial changes of the code. In this paper, we analyze the notion of flexibility which is related to the presence of hidden and implicit security mechanisms in the business logic. We detail how testing can be used for detecting such mechanisms and how it may drive the incremental evolution of a security policy. We use several case studies to illustrate and validate the methodology.
Reference:
Test-Driven Assessment of Access Control in Legacy Applications (Yves Le Traon, Tejeddine Mouelhi, Alexander Pretschner, Benoit Baudry), In Proceedings of the International Conference on Software Testing, Verification and Validation (ICST), 2008.
Bibtex Entry:
@inproceedings{mouelhi08c,
	Abstract = {If access control policy decision points are not neatly separated
	from the business logic of a system, the evolution of a security
	policy likely leads to the necessity of changing the system's code
	base. This is often the case with legacy systems. We present a test-driven
	methodology to assess the flexibility of a system, a property that
	describes the degree of coupling between the access control logic
	and the business logic of a system. A low flexibility indicates that
	a modification of the policy will lead to substantial changes of
	the code. In this paper, we analyze the notion of flexibility which
	is related to the presence of hidden and implicit security mechanisms
	in the business logic. We detail how testing can be used for detecting
	such mechanisms and how it may drive the incremental evolution of
	a security policy. We use several case studies to illustrate and
	validate the methodology.},
	keywords = {test, security},
	Author = {Le Traon, Yves and Mouelhi, Tejeddine and Pretschner, Alexander and Baudry, Benoit},
	Booktitle = {Proceedings of the International Conference on Software Testing, Verification and Validation (ICST)},
	Title = {Test-Driven Assessment of Access Control in Legacy Applications},
	x-abbrv = {ICST},
	X-Country = {NO},
	X-International-Audience = {yes},
	X-Language = {EN},
	X-Proceedings = {yes},
	Year = {2008},
	url = {http://www.irisa.fr/triskell/publis/2008/mouelhi08c.pdf}}