Securing Dataverse with an Adapted Command Design Pattern

Gustavo Durand, Michael Bar-Sinai, Mercè Crosas

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

In order to bake security into application design, we introduce an adaptation to the Command pattern: command instances are tagged with the permissions required to perform them for each object they manipulate. Prior to executing a command instance issued by a given user, an execution engine validates the user has the required permissions over the objects the command is about to operate on. Stating the required permissions can often be declarative. In addition to the usual advantages offered by the command pattern (such as standardized operation handling), this adaptation creates a single checkpoint for validating permissions throughout the application. This, in turn, enhances application security and reduces code duplication, for example between the API and UI controllers. Disadvantages include the lack of framework support, and a learning curve for existing developers. We have used this design in implementing Dataverse, a widely-used institutional data repository developed at Harvard University, which has been in production use since May 2015. As this design differs significantly from common web application design, we also look at how the development team adapted to it, and at how using it affected our development process.

Original languageEnglish
Title of host publicationProceedings - 2017 IEEE Cybersecurity Development Conference, SecDev 2017
PublisherInstitute of Electrical and Electronics Engineers
Pages54-60
Number of pages7
ISBN (Electronic)9781538634677
DOIs
StatePublished - 20 Oct 2017
Event2017 IEEE Cybersecurity Development Conference, SecDev 2017 - Cambridge, United States
Duration: 24 Sep 201726 Sep 2017

Publication series

NameProceedings - 2017 IEEE Cybersecurity Development Conference, SecDev 2017

Conference

Conference2017 IEEE Cybersecurity Development Conference, SecDev 2017
Country/TerritoryUnited States
CityCambridge
Period24/09/1726/09/17

Keywords

  • Security Design Patterns
  • Software Engineering
  • System Design

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'Securing Dataverse with an Adapted Command Design Pattern'. Together they form a unique fingerprint.

Cite this