skip to main content
10.1145/3393822.3432330acmotherconferencesArticle/Chapter ViewAbstractPublication PagesesseConference Proceedingsconference-collections
research-article

Continuous Development and Testing of Access and Usage Control: A Systematic Literature Review

Published: 21 December 2020 Publication History

Abstract

Context: Development and testing of access/usage control systems is a growing research area. With new trends in software development such as DevOps, the development of access/usage control also has to evolve. Objective: The main aim of this paper is to provide an overview of research proposals in the area of continuous development and testing of access and usage control systems. Method: The paper uses a Systematic Literature Review as a research method to define the research questions and answer them following a systematic approach. With the specified search string, 210 studies were retrieved. After applying the inclusion and exclusion criteria in two phases, a final set of 20 primary studies was selected for this review. Results: Results show that primary studies are mostly published in security venues followed by software engineering venues. Furthermore, most of the studies are based on the standard XACML access control language. In addition, a significant portion of the proposals for development and testing is automated with test assessment and generation the most targeted areas. Some general guidelines for leveraging continuous developing and testing of the usage and access control systems inside the DevOps process are also provided.

References

[1]
OASIS. 2013. eXtensible Access Control Markup Language (XACML) Version 3.0. http:docs.oasis open.orgxacml3.0xacml-3.0-core-spec-os-en.html. Alain
[2]
Marian Stoica, Marinela Mircea, and Bogdan Ghilic-Micu. 2013. Software Development: Agile vs. Traditional. Informatica Economica 17, 4 (2013).
[3]
G Bou Ghantous and Asif Gill. 2017. DevOps: Concepts, practices, tools, benefits and challenges. PACIS (2017).
[4]
Antonia Bertolino, Said Daoudagh, Donia El Kateb, Christopher Henard, Yves Le Traon, Francesca Lonetti, Eda Marchetti, Tejeddine Mouelhi, and Mike Papadakis. 2015. Similarity testing for access control. Information and Software Technology 58 (2015), 355--372.
[5]
Antonia Bertolino, Said Daoudagh, Francesca Lonetti, and Eda Marchetti. 2018. An automated model-based test oracle for access control systems. In Proc. of IEEE/ACM 13th International Workshop on Automation of Software Test (AST), 2--8.
[6]
Ali Akber, Syed Sajjad Hussain Rizvi, Muhammad Waqar Khan, Vali Uddin, Manzoor Ahmed Hashmani, and Jawwad Ahmad. 2019. Dimensions of Robust Security Testing in Global Software Engineering: A Systematic Review. In Human Factors in Global Software Engineering, 252--272.
[7]
Michael Felderer, Matthias Büchler, Martin Johns, Achim D Brucker, Ruth Breu, and Alexander Pretschner. 2016. Security testing: A survey. In Advances in Computers. Vol. 101. Elsevier, 1--51.
[8]
Michael Felderer, Philipp Zech, Ruth Breu, Matthias Büchler, and Alexander Pretschner. 2016. Model-based security testing: a taxonomy and systematic classification. Software Testing, Verification and Reliability 26, 2 119--148.
[9]
Antonia Bertolino, Said Daoudagh, Francesca Lonetti, Eda Marchetti, Fabio Martinelli, and Paolo Mori. 2014. Testing of PolPA-based usage control systems. Software Quality Journal 22, 2 (2014), 241--271.
[10]
Tejeddine Mouelhi, Donia El Kateb, and Yves Le Traon. 2015. Inroads in Testing Access Control. In Advances in Computers. Vol. 99. Elsevier, 195--222.
[11]
Len Bass, Ingo Weber, and Liming Zhu. 2015. DevOps: A software architect's perspective. Addison-Wesley
[12]
Fangbo Cai, Nafei Zhu, Jingsha He, Pengyu Mu, Wenxin Li, and Yi Yu. 2019. Survey of access control models and technologies for cloud computing. Cluster Computing 22, 3 6111--6122.
[13]
Ramtin Jabbari, Nauman bin Ali, Kai Petersen, and Binish Tanveer. 2018. Towards a benefits dependency network for DevOps based on a systematic literature review. Journal of Software: Evolution and Process 30, 11.
[14]
Alain Abran, James W Moore, Pierre Bourque, Robert Dupuis, and L Tripp. 2004. Software engineering body of knowledge. IEEE Computer Society, Angela Burgess.
[15]
Francesca Lonetti and Eda Marchetti. 2018. Emerging software testing technologies. In Advances in Computers. Vol. 108. Elsevier, 91--143.
[16]
Mike Papadakis, Marinos Kintis, Jie Zhang, Yue Jia, Yves Le Traon, and Mark Harman. 2019. Mutation testing advances: an analysis and survey. In Advances in Computers. Vol. 112. Elsevier, 275--378.
[17]
Earl T Barr, Mark Harman, Phil McMinn, Muzammil Shahbaz, and Shin Yoo. 2014. The oracle problem in software testing: A survey. IEEE transactions on software engineering 41, 5 (2014), 507--525.
[18]
Guru99. 2020. Top 15 DevOps Testing Tools in 2020. https:www.guru99.comdevops-testing-tools.html.
[19]
Håvard Myrbakken and Ricardo Colomo-Palacios. 2017. DevSecOps: a multivocal literature review. In International Conference on Software Process Improvement and Capability Determination. Springer, 17--29.
[20]
Michael Felderer and Elizabeta Fourneret. 2015. A systematic classification of security regression testing approaches. International Journal on Software Tools for Technology Transfer 17, 3 (2015), 305--319.
[21]
KK Baseer, A Rama Mohan Reddy, and C Shoba Bindu. 2015. A systematic survey on waterfall vs. agile vs. lean process paradigms. i-Manager's Journal on Software Engineering 9, 3 (2015), 34.
[22]
Breno B Nicolau de França, Helvio Jeronimo, and Guilherme Horta Travassos. 2016. Characterizing DevOps by hearing multiple voices. In Proceedings of the 30th Brazilian Symposium on Software Engineering. 53--62.
[23]
Barbara Kitchenham. 2004. Procedures for performing systematic reviews. Keele University 33, 1--26.
[24]
Pearl Brereton, Barbara A Kitchenham, David Budgen, Mark Turner, and Mohamed Khalil. 2007. Lessons from applying the systematic literature review process within the software engineering domain. Journal of systems and software 80, 4 571--583.
[25]
Said Daoudagh, Francesca Lonetti, and Eda Marchetti. 2020. A Framework for the Validation of Access Control Systems. In Emerging Technologies for Authorization and Authentication, 35--51.
[26]
Cesare Bartolini, Said Daoudagh, Gabriele Lenzini, and Eda Marchetti. 2019. GDPR-Based User Stories in the Access Control Perspective. In Proc. of Quality of Information and Communications Technology. 3--17.
[27]
S. Khamaiseh, P. Chapman, and D. Xu. 2018. Model-Based Testing of Obligatory ABAC Systems. In QRS. 405--413.
[28]
Sagar Limaye and Yunpeng Zhang. 2018. Combining Algorithm Based Data Flow Testing Approach for XACML. In Proc. of the Third ACM Workshop on Attribute-Based Access Control. 25--31.
[29]
Dianxiang Xu, Roshan Shrestha, and Ning Shen. 2018. Automated Coverage Based Testing of XACML Policies. In Proc. of the 23nd ACM on Symposium on Access Control Models and Technologies. 3--14.
[30]
Z. Wu, X. Qi, G. Liu, L. Fang, J. Liu, and J. Cui. 2018. An extend RBAC model for privacy protection in HIS. In Proc. of ISDFS. 1--6.
[31]
Roman Pilipchuk, Stephan Seifermann, and Robert Heinrich. 2018. Aligning Business Process Access Control Policies with Enterprise Architecture. In Proc.of the Central European Cybersecurity Conference 2018. 1--4.
[32]
Franco Loi, Arunan Sivanathan, Hassan Habibi Gharakheili, Adam Radford, and Vijay Sivaraman. 2017. Systematically Evaluating Security and Privacy for Consumer IoT Devices. In Proc. of the Internet of Things Security and Privacy. 1--6.
[33]
Alireza Sadeghi, Reyhaneh Jabbarvand, and Sam Malek. 2017. PATDroid: Permission-Aware GUI Testing of Android. In Proc. of the 11th Joint Meeting on Foundations of Software Engineering. 220--232.
[34]
M. Slawik, C. Blanchet, Y. Demchenko, F. Turkmen, A. Ilyushkin, and C. Loomis. 2017. CYCLONE: The Multi-cloud Middleware Stack for Application Deployment and Management. In CloudCom. 347--352.
[35]
Antonia Bertolino, Said Daoudagh, Francesca Lonetti, and Eda Marchetti. 2016. Testing Access Control Policies against Intended Access Rights. In Proc. of the 31st Annual ACM Symposium on Applied Computing. 1641 -1647.
[36]
B. Stepien and A. Felty. 2016. Using Expert Systems to Statically Detect "Dynamic" Conflicts in XACML. In 2016 11th International Conference on Availability, Reliability and Security (ARES). 127--136.
[37]
D. R. Kuhn, V. Hu, D. F. Ferraiolo, R. N. Kacker, and Y. Lei. 2016. Pseudo-Exhaustive Testing of Attribute Based Access Control Rules. In ICSTW. 51 -58.
[38]
Carlos Diego Nascimento Damasceno, Paulo Cesar Masiero, and Adenilso Simao. 2016. Evaluating Test Characteristics and Effectiveness of FSM-Based Testing Methods on RBAC Systems. In Proc. of the 30th Brazilian Symposium on Software Engineering. 83--92.
[39]
K. Wrona, S. Oudkerk, S. Szwaczyk, and M. Amanowicz. 2016. Content-based security and protected core networking with software-defined networks. IEEE Communications Magazine 54, 10 (October 2016), 138--144.
[40]
Dianxiang Xu, Zhenyu Wang, Shuai Peng, and Ning Shen. 2016. Automated Fault Localization of XACML Policies. In Proc. of the 21st ACM on Symposium on Access Control Models and Technologies. 137--147.
[41]
D. Xu, Y. Zhang, and N. Shen. 2015. Formalizing Semantic Differences between Combining Algorithms in XACML 3.0 Policies. In Proc. of International Conference on Software Quality, Reliability and Security. 163--172.
[42]
Said Daoudagh, Francesca Lonetti, and Eda Marchetti. 2015. Assessment of Access Control Systems Using Mutation Testing. In Proc. of TELERISE, 8--13.
[43]
N. Papernot, P. McDaniel, and R. J. Walls. 2015. Enforcing agile access control policies in relational databases using views. In Proc. of IEEE Military Communications Conference. 7--12.
[44]
2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation). Official Journal of the European Union L119 (4 May 2016), 1--88.

Cited By

View all
  • (2022)A Formal Validation Approach for XACML 3.0 Access Control PolicySensors10.3390/s2208298422:8(2984)Online publication date: 13-Apr-2022
  • (2022)Software Testing in the DevOps Context: A Systematic Mapping StudyProgramming and Computing Software10.1134/S036176882208017548:8(658-684)Online publication date: 1-Dec-2022
  • (2022)Automated reverse engineering of role-based access control policies of web applicationsJournal of Systems and Software10.1016/j.jss.2021.111109184:COnline publication date: 1-Feb-2022
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
ESSE '20: Proceedings of the 2020 European Symposium on Software Engineering
November 2020
220 pages
ISBN:9781450377621
DOI:10.1145/3393822
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

  • UNIBO: University of Bologna

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 December 2020

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Access Control
  2. DevOps
  3. Systematic Literature Review
  4. Testing
  5. XACML

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Funding Sources

  • CyberSec4Europe

Conference

ESSE 2020

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)30
  • Downloads (Last 6 weeks)4
Reflects downloads up to 15 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2022)A Formal Validation Approach for XACML 3.0 Access Control PolicySensors10.3390/s2208298422:8(2984)Online publication date: 13-Apr-2022
  • (2022)Software Testing in the DevOps Context: A Systematic Mapping StudyProgramming and Computing Software10.1134/S036176882208017548:8(658-684)Online publication date: 1-Dec-2022
  • (2022)Automated reverse engineering of role-based access control policies of web applicationsJournal of Systems and Software10.1016/j.jss.2021.111109184:COnline publication date: 1-Feb-2022
  • (2020)An automated framework for continuous development and testing of access control systemsJournal of Software: Evolution and Process10.1002/smr.230635:3Online publication date: 27-Aug-2020

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media