Ensuring software security policies

Access control policies (ACPs) are becoming the new norm for security requirements for businesses to ensure software developers have a clear understanding of security policies.

12/11/2012


ISS SourceThere is a new natural language processing tool that businesses or other users can use to ensure software developers have a clear idea of the security policies they need to incorporate into new software products.

It is all about access control policies (ACPs), which are the security requirements that software developers need to bear in mind when developing new software, said researchers from North Carolina State University and IBM Research. In one case, an ACP for a university grading program needs to allow professors to give grades to students, but should not allow students to change the grades.

“These ACPs are important, but are often buried amidst a lengthy list of other requirements that customers give to developers,” said Dr. Tao Xie, an associate professor of computer science at NC State and co-author of a paper on the research. These requirements are in “natural language,” which is the conversational language people use when talking or corresponding via the written word.

Incomplete or inaccurate ACP requirements can crop up if the customer writing the ACP requirements makes a mistake or doesn’t have enough technical know-how to accurately describe a program’s security needs.

A second problem is programmers may misinterpret some ACP requirements, or overlook them entirely.

In collaboration with IBM Research, Xie’s research team has developed a solution that uses a natural language processing program to extract the ACP requirements from a customer’s overall list of requirements and translate it into machine-readable language that computers can understand and enforce.

After extracting the ACPs, they can be run through Access Control Policy Tool (ACPT) — also developed in Xie’s research team in collaboration with the National Institute of Standards and Technology (NIST) — which verifies and tests the ACPs and determines whether the ACP requirements are adequate to meet the security needs of the program.

Once the ACP requirements translate into machine-readable language, they can also incorporate into a policy-enforcement “engine” in the final software product — which ensures programmers cannot overlook ACPs.

“In general, developing a program that understands natural language text is very challenging,” Xie said. “However, ACP requirements in software documents usually follow a certain style, using terms such as ‘cannot be edited’ or ‘does not have the ability to edit.’ Because ACPs tend to use such a limited number of phrases, it is much easier to develop a program that effectively translates natural language texts in this context.”



No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
Each year, a panel of Control Engineering editors and industry expert judges select the System Integrator of the Year Award winners.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Learn how to create value with re-use; gain productivity with lean automation and connectivity, and optimize panel design and construction.
Go deep: Automation tackles offshore oil challenges; Ethernet advice; Wireless robotics; Product exclusives; Digital edition exclusives
Lost in the gray scale? How to get effective HMIs; Best practices: Integrate old and new wireless systems; Smart software, networks; Service provider certifications
Fixing PID: Part 2: Tweaking controller strategy; Machine safety networks; Salary survey and career advice; Smart I/O architecture; Product exclusives
The Ask Control Engineering blog covers all aspects of automation, including motors, drives, sensors, motion control, machine control, and embedded systems.
Look at the basics of industrial wireless technologies, wireless concepts, wireless standards, and wireless best practices with Daniel E. Capano of Diversified Technical Services Inc.
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
This is a blog from the trenches – written by engineers who are implementing and upgrading control systems every day across every industry.
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Control Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.