Learn More
Agile methods are widely employed to develop high-quality software, but theoretical analyses argue that agile methods are inadequate for security-critical projects. However, most agile-developed software today needs to satisfy baseline security requirements, so that we need to focus on how to achieve this this level for typical agile projects. In this(More)
Custom SME applications for collaboration and workflow have become affordable when implemented as Web applications employing Agile methodologies. Security engineering is still difficult with Agile development, though: heavyweight processes put the improvements of Agile development at risk. We propose Agile security engineering and increased end-user(More)
Many organizations struggle with ineffective and/or inefficient access control, but these problems and their consequences often remain invisible to security decision-makers. Prior research has focused on improving the policy-authoring part of authorization and does not consider the full range of underlying problems, and their impact on organizations. We(More)
Most organizations have access control policies, and many have to change them frequently to get work done. Currently, the way such changes are made often has a significant impact on the organization's security, productivity, and employee satisfaction. Those who have to make the decisions are put on the spot, and depending on their perspective and(More)
—Mobile phones have developed into complex platforms with large numbers of installed applications and a wide range of sensitive data. Application security policies limit the permissions of each installed application. As applications may interact, restricting single applications may create a false sense of security for the end users while data may still(More)
Problems in organizational authorization result in productivity impacts and in security risks, for example, from over-entitlements and non-compliance. Many of the problems originate from organizational dynamics in combination with problematic authorization procedures for permission changes. To mitigate these problems and to improve the processes or craft(More)
Current warnings in Web browsers are difficult to understand for lay users. We address this problem through more concrete warning content by contextualizing the warning – for example, taking the user's current intention into account in order to name concrete consequences. To explore the practical value of contextualization and potential obstacles , we(More)
Web applications are increasingly developed in Agile development processes. Business-centric Web applications need complex authorization policies to securely implement business processes. As part of the Agile process, integrating domain experts into the development of RBAC authorization policies improves the policies, but remains difficult. For policy(More)