Creating application security layer based on resource access decision service

Download
2007
Metin, Mehmet Özer
Different solutions have been used for each security aspects (access control, application security) to secure enterprise web applications. However combining "enterprise-level" and "application-level" security aspects in one layer could give great benefits such as reusability, manageability, and scalability. In this thesis, adding a new layer to n-tier web application architectures to provide a common evaluation and enforcement environment for both enterprise-level and application level policies to bring together access controlling with application-level security. Removing discrimination between enterprise-level and application-level security policies improves manageability, reusability and scalability of whole system. Resource Access Decision (RAD) specification has been implemented and used as authentication mechanism for this layer. RAD service not only provides encapsulating domain specific factors to give access decisions but also can form a solid base to apply positive and negative security model to secure enterprise web applications. Proposed solution has been used in a real life system and test results have been presented.

Suggestions

Creating application security layer based on resource access decision service
Metin, Mehmet Özer; Şener, Cevat; Göǧebakan, Yenal (2008-01-01)
Different solutions have been implemented for different security aspects (access control, application security) of enterprise web applications. However combining "enterprise-level" and "application-level" security aspects in one layer could give great benefits such as reusability, manageability, and scalability. In this paper, we propose adding a new layer to n-tier web application architectures, which use RAD service implementations to execute enterprise and application security policies. Proposed architec...
Specification and verification of confidentiality in software architectures
Ulu, Cemil; Oğuztüzün, Mehmet Halit S.; Department of Computer Engineering (2004)
This dissertation addresses the confidentiality aspect of the information security problem from the viewpoint of the software architecture. It presents a new approach to secure system design in which the desired security properties, in particular, confidentiality, of the system are proven to hold at the architectural level. The architecture description language Wright is extended so that confidentiality authorizations can be specified. An architectural description in Wright/c, the extended language, assigns...
Analysis of recent attacks on SSL/TLS protocols
Özden, Duygu; Cenk, Murat; Department of Cryptography (2016)
Transport Layer Security(TLS) and its predecessor Secure Socket Layer(SSL) are two important cryptographic, certificate based protocols that satisfy secure communication in a network channel. They are widely used in many areas such as online banking systems, online shopping, e-mailing, military systems or governmental systems. Being at the center of secure communication makes SSL and TLS become the target of attackers and an important field of study for researchers. So many vulnerabilities and attacks towar...
Using Assurance Cases to Develop Iteratively Security Features Using Scrum
BEN OTHMANE, Lotfi; Angın, Pelin; BHARGAVA, Bharat (2014-09-12)
A security feature is a customer-valued capability of software for mitigating a set of security threats. Incremental development of security features, using the Scrum method, often leads to developing ineffective features in addressing the threats they target due to factors such as incomplete security tests. This paper proposes the use of security assurance cases to maintain a global view of the security claims as the feature is being developed iteratively and a process that enables the incremental developm...
Software process improvement
Elalmış, Mert Erkan; Yücel, Melek D; Department of Electrical and Electronics Engineering (2007)
In this thesis the software development process and in particular, the requirements management processes in a major software development company have been investigated. The current problems related to requirements quality and process performances have been identified. Process improvement measures have been proposed based on the suggestions found in the relevant literature. The current process and the improved version have been compared with respect to the process evaluation metrics proposed particularly for...
Citation Formats
M. Ö. Metin, “Creating application security layer based on resource access decision service,” M.S. - Master of Science, Middle East Technical University, 2007.