Abstract
Software system security gets a lot of attention from the industry for its crucial role in protecting private resources. Typically, users access a system’s services via an application programming interface (API). This API must be protected to prevent unauthorized access. One way that developers deal with this challenge is by using role-based access control where each entry point is associated with a set of user roles. However, entry points may use the same methods from lower layers in the application with inconsistent permissions. Currently, developers use integration or penetration testing which demands a lot of effort to test authorization inconsistencies. This paper proposes an automated method to test role-based access control in enterprise applications. Our method verifies inconsistencies within the application using authorization role definitions that are associated with the API entry points. By analyzing the method calls and entity accesses on subsequent layers, inconsistencies across the entire application can be extracted. We demonstrate our solution in a case study and discuss our preliminary results.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Vural H, Koyuncu M, Guney S (2017) A systematic literature review on microservices. In: Computational science and its applications—ICCSA 2017, pp 203–217. Springer, Cham
Steinegger R, Giessler P, Hippchen B, Abeck S (2017) Overview of a domain-driven design approach to build microservice-based applications
AnwerMohd F, Mustafa N (2016) Security testing. Trends in software testing
McGraw G (2004) Software security. EEE Secur Priv 2:80–83. https://doi.org/10.1109/MSECP.2004.1281254
Mercuri RT (2003) Analyzing security costs. Commun ACM 46(6)
Telang R, Wattal S (2007) An empirical analysis of the impact of software vulnerability announcements on firm stock price. IEEE Trans Softw Eng 33(8):544–557. https://doi.org/10.1109/TSE.2007.70712
Schwartz MJ (2019) Equifax’s data breach costs hit $1.4 billion. https://www.bankinfosecurity.com/equifaxs-data-breach-costs-hit-14-billion-a-12473
Dinh KKQ, Truong A (2019) Automated security analysis of authorization policies with contextual information. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-58808-6 ̇5
Felderer M, Zech P, Breu R, Bchler M, Pretschner A (2016) Model-based security testing: a taxonomy and systematic classification. Softw Test Verif Reliab 26(2):119–148. https://doi.org/10.1002/stvr.1580
Bardas AG (2010) Static code analysis. RomIan Econ Bus Rev 4(2):99–107. https://ideas.repec.org/a/rau/journl/v4y2010i2p99-107.html
Cerny T, Donahoo MJ, Trnka M (2018) Contextual understanding of microservice architecture: current and future directions. SIGAPP Appl Comput Rev 17(4):29–45. https://doi.org/10.1145/3183628.3183631
Tihomirovs J, Grabis J (2016) Comparison of soap and rest based web services using software evaluation metrics. Inf Technol Manage Sci 19(1):92–97. https://doi.org/10.1515/itms-2016-0017
Levin G (2015) The rise of rest API. https://blog.restcase.com/
Aihkisalo T, Paaso T (2012) Latencies of service invocation and processing of the rest and soap web service interfaces. In: 2012 IEEE eighth world congress on services. pp 100–107. https://doi.org/10.1109/SERVICES.2012.55
Li L, Chou W, Zhou W, Luo M (2016) Design patterns and extensibility of rest API for networking applications. IEEE Trans Netw Serv Manage 13(1):154–167. https://doi.org/10.1109/TNSM.2016.2516946
Bodkin R (2004) Enterprise security aspects
Will Hopkins AT (2017) Java EE security API specification (jsr 375). https://javaee.github.io/security-spec/
Ciuciu I, Tang Y, Meersman R (2012) Towards evaluating an ontology-based data matching strategy for retrieval and recommendation of security annotations for business process models. In: Aberer K, Damiani E, Dillon T (eds) Data-driven process discovery and analysis. pp 103–119. Springer, Cham
Srivastava V, Bond MD, McKinley KS, Shmatikov V (2011) A security policy oracle: detecting security holes using multiple API implementations. In: Proceedings of the 32Nd ACM SIGPLAN conference on programming language design and implementation. pp 343–354. PLDI ’11, ACM, New York, USA. https://doi.org/10.1145/1993498.1993539
Xu D, Thomas L, Kent M, Mouelhi T, Le Traon Y (2012) A model-based approach to automated testing of access control policies. In: Proceedings of the 17th ACM symposium on access control models and technologies, pp 209–218. SACMAT’12, ACM, New York, USA. https://doi.org/10.1145/2295136.2295173
Son S, Mckinley KS, Shmatikov V (2013) Fix me up: repairing access-control bugs in web applications. In: Network and distributed system security symposium
Richards M (2015) Software architecture patterns. O’Reilly Media, Inc
Fielding R, Gettys J, Mogul J, Frystyk H, Masinter L, Leach P, Berners-Lee T (1999) Hypertext transfer protocol. https://tools.ietf.org/html/rfc2616
Software P (2019) Spring framework. https://spring.io/
Jia Y, Harman M (2010) An analysis and survey of the development of mutation testing. IEEE Trans Softw Eng 37(5):649–678
Acknowledgements
This material is based upon work supported by the National Science Foundation under Grant No. 1854049.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Walker, A., Svacina, J., Simmons, J., Cerny, T. (2020). On Automated Role-Based Access Control Assessment in Enterprise Systems. In: Kim, K., Kim, HY. (eds) Information Science and Applications. Lecture Notes in Electrical Engineering, vol 621. Springer, Singapore. https://doi.org/10.1007/978-981-15-1465-4_38
Download citation
DOI: https://doi.org/10.1007/978-981-15-1465-4_38
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-15-1464-7
Online ISBN: 978-981-15-1465-4
eBook Packages: EngineeringEngineering (R0)