Questionnaire on Authorization in Web Development
Steffen Bartsch
effort. As a second purpose, it helps me as a research scientist in
exploring usable security. To evaluate the current state from a broader
developer perspective, I composed this questionnaire.
The overall objective of my research is to improve understanding of the
authorization development process to make authorization development easier
for developers. In the long term, this should result in more appropriate
policies, less learning or implementation effort and authorization-related
bugs like missing permission checks etc. Thus, I am interested in feedback
on authorization in Web development in general, whether developed based on
Java EE or Rails, with authorization frameworks like Spring Security,
decl_auth or home-grown solutions.
Of course, any data is handled confidentially and will be used in
anonymous form only. Still, feel free to leave inappropriate questions
blank. Please take a few minutes to complete the questionnaire and send it
to my E-Mail address sbar...@tzi.org. I'd appreciated replies before
Dec 1.
Thanks,
Steffen
* How would you characterize your experience in Web development, your
employed Web framework, Security, Authorization?
(In years and no. of projects; professionally?)
* Please give a few details on Web applications that you have developed
with authorization measures in the last year (with or without decl_auth)
* Type of application:
* Size: Number of developers involved, man-months
* Employed Web development framework (Rails, Java EE, etc.)
* Complexity: Number of models, controllers or DB tables
* Number of users, roles (if applicable)
* Employed authorization framework (or home-grown authorization)
* If decl_auth employed: Length of authorization rules file in lines
* Approximate part of development effort spent on authorization
* Approximate number of changes to authorization policy per development
month if any
* Key reasons for choosing the specific authorization framework
(E.g. factors like maintainability, developer usability, ease of learning,
efficiency, effectiveness, known stability)
* Any suggestions on how to improve the developer experience of the
authorization development? (E.g. additional tools, API improvements etc.)
Steffen Bartsch
> I'd appreciated replies
Thanks to those that replied. Unfortunately, the number of replies was too
low to derive meaningful results. Thus, a second try: Please consider
investing 15 Minutes to complete the form at the end of the E-Mail. Every
completed form will help me with my research work and indirectly improve the
further support and development of decl_auth by increasing my motivation.
Of course, I will handle any data confidentially and use it in anonymous form
only. I'd appreciated replies before Jan 13.
> The overall objective of my research is to improve understanding of the
> authorization development process to make authorization development easier
> for developers. In the long term, this should result in more appropriate
> policies, less learning or implementation effort and authorization-related
> bugs like missing permission checks etc. I am interested in feedback
> on authorization in Web development in general, whether developed based on
> Java EE or Rails, with authorization frameworks like Spring Security,
> decl_auth or home-grown solutions.
Thanks,