Embedding Model-Based Security Policies in Software Development

摘要

Security in software applications is frequently an afterthought. Even if developers are aware of security policies and software vulnerabilities, they possess little knowledge of how to implement security polices while developing applications. In addition, the lack of support for tools and security automation makes it more challenging to incorporate security policies. In this paper we have proposed a security policy enforcement mechanism to incorporate security policies for data fields in transactions of software application during its development phase. The objective is to facilitate developers implementing security policies easily. The extensibility of our approach gives the flexibility to accommodate different security policy schemas and to implement various security policies on sensitive data. With the simplicity of mapping data fields of business structures with security policy definitions, our approach provides the programmers, business domain experts and security experts a collaborative process to define and incorporate security policies in software.