Security Analysis of the Core J2EE Patterns

1. Security Analysis of the Core J2EE Patterns Rohit Sethi Security Compass rohit@securitycompass.com Education Project

2. Overview • Project to analyze the popular Core J2EE Patterns for security • Design-time activity aimed at pointing out common security pitfalls and proper ways to implement security within design patterns • Originally a white paper – donated to OWASP by Security Compass

3. Objectives • Provide mechanism to disseminate security advice independent of the underlying framework (e.g. Struts, Spring, custom MVC, etc.) • Speak to software designers in a language they understand and use to communicate design concepts (i.e. design patterns) • Aid security reviewers in where to look within a large, complex Java EE application for common security issues

4. Status and Future Objectives • Current release contains initial write-up • Currently soliciting additional security advice from application security community • Future objectives: • Add example source code • .Net pattern analysis • Fowler Patterns of Enterprise Application Architecture analysis • Enterprise Integration Patterns analysis • Emerging (e.g. Web 2.0) pattern analysis