| Publication type: | Conference paper |
| Type of review: | Peer review (publication) |
| Title: | Is modeling access control worth it? |
| Authors: | Basin, David Guarnizo Hernandez, Juan David Krstic, Srđan Nguyen, Hoang Ochoa Ronderos, Martin |
| et. al: | No |
| DOI: | 10.1145/3576915.3623196 |
| Proceedings: | CCS '23 : Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security |
| Page(s): | 2830 |
| Pages to: | 2844 |
| Conference details: | 30th ACM Conference on Computer and Communications Security (CCS), Copenhagen, Denmark, 26-30 November 2023 |
| Issue Date: | 26-Nov-2023 |
| Publisher / Ed. Institution: | ACM |
| ISBN: | 9798400700507 |
| Language: | English |
| Subjects: | Security; Software application |
| Subject (DDC): | 005: Computer programming, programs and data |
| Abstract: | Implementing access control policies is an error-prone task that can have severe consequences for the security of software applications. Model-driven approaches have been proposed in the literature and associated tools have been developed with the goal of reducing the complexity of this task and helping developers to produce secure software efficiently. Nevertheless, there is a lack of empirical data supporting the advantages of model-driven security approaches over code-centric approaches, which are the de-facto industry standard for software development. In this work, we compare the result of implementing the same functional and security requirements by multiple developer groups in the context of a security engineering graduate course. We thereby obtain evidence on the security and efficiency of a tool-based model-driven approach to security from the literature compared to a direct implementation in a well-known, modern web-development framework. For example, the projects using model-driven development pass up to 50% more security tests on average with less development effort. Also, we observe that models are twice as concise as manual implementations, which improves system maintainability. |
| URI: | https://digitalcollection.zhaw.ch/handle/11475/29482 |
| Fulltext version: | Published version |
| License (according to publishing contract): | Licence according to publishing contract |
| Departement: | School of Engineering |
| Organisational Unit: | Institute of Computer Science (InIT) |
| Appears in collections: | Publikationen School of Engineering |
Files in This Item:
There are no files associated with this item.
Show full item record
Basin, D., Guarnizo Hernandez, J. D., Krstic, S., Nguyen, H., & Ochoa Ronderos, M. (2023). Is modeling access control worth it? [Conference paper]. CCS ’23 : Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, 2830–2844. https://doi.org/10.1145/3576915.3623196
Basin, D. et al. (2023) ‘Is modeling access control worth it?’, in CCS ’23 : Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. ACM, pp. 2830–2844. Available at: https://doi.org/10.1145/3576915.3623196.
D. Basin, J. D. Guarnizo Hernandez, S. Krstic, H. Nguyen, and M. Ochoa Ronderos, “Is modeling access control worth it?,” in CCS ’23 : Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, Nov. 2023, pp. 2830–2844. doi: 10.1145/3576915.3623196.
BASIN, David, Juan David GUARNIZO HERNANDEZ, Srđan KRSTIC, Hoang NGUYEN und Martin OCHOA RONDEROS, 2023. Is modeling access control worth it? In: CCS ’23 : Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. Conference paper. ACM. 26 November 2023. S. 2830–2844. ISBN 9798400700507
Basin, David, Juan David Guarnizo Hernandez, Srđan Krstic, Hoang Nguyen, and Martin Ochoa Ronderos. 2023. “Is Modeling Access Control Worth It?” Conference paper. In CCS ’23 : Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, 2830–44. ACM. https://doi.org/10.1145/3576915.3623196.
Basin, David, et al. “Is Modeling Access Control Worth It?” CCS ’23 : Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, ACM, 2023, pp. 2830–44, https://doi.org/10.1145/3576915.3623196.
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.