TY - GEN
T1 - Model-assisted access control implementation for code-centric ruby-on-rails web application development
AU - Munetoh, Seiji
AU - Yoshioka, Nobukazu
PY - 2013
Y1 - 2013
N2 - In a Web application framework suitable for a code-centric development approach, maintaining the faultlessness of the security features is an issue because the security features are dispersed throughout the code during the implementation. In this paper, we propose a method and develop a static verification tool for Web applications that checks the completeness of the security features implementation. The tool generates a navigation model from an application code while retaining the security properties and then checks the consistency of the security properties on the model since access control is relevant to the application behavior. We applied the proposed tool to various Ruby on Rails Web application source codes and then tested their authentication and authorization features. Results showed that the tool is an effective aid in the implementation of security features in code-centric and iterative Web application development.
AB - In a Web application framework suitable for a code-centric development approach, maintaining the faultlessness of the security features is an issue because the security features are dispersed throughout the code during the implementation. In this paper, we propose a method and develop a static verification tool for Web applications that checks the completeness of the security features implementation. The tool generates a navigation model from an application code while retaining the security properties and then checks the consistency of the security properties on the model since access control is relevant to the application behavior. We applied the proposed tool to various Ruby on Rails Web application source codes and then tested their authentication and authorization features. Results showed that the tool is an effective aid in the implementation of security features in code-centric and iterative Web application development.
KW - Access control
KW - Agile development
KW - Modeling Web application
KW - Static security analysis
UR - http://www.scopus.com/inward/record.url?scp=84892419150&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84892419150&partnerID=8YFLogxK
U2 - 10.1109/ARES.2013.47
DO - 10.1109/ARES.2013.47
M3 - Conference contribution
AN - SCOPUS:84892419150
SN - 9780769550084
T3 - Proceedings - 2013 International Conference on Availability, Reliability and Security, ARES 2013
SP - 350
EP - 359
BT - Proceedings - 2013 International Conference on Availability, Reliability and Security, ARES 2013
T2 - 2013 8th International Conference on Availability, Reliability and Security, ARES 2013
Y2 - 2 September 2013 through 6 September 2013
ER -