Securing the Core JEE Patterns
This presentation was by Rohit Sethi, the Project Leader for the Secure Pattern Analysis Project at OWASP and he works at Security Compass, a security analysis and training company. My notes from the session are below:
- Before anyone starts building complex systems, they need to design.
- We create threat models on completed designs.
- What about during design?
- Book: "Core J2EE Patterns Best Practices and Design Strategies"
- If you use J2EE development, chances are you're using patterns documented here
- Core J2EE patterns are used extensively
- Patterns are used in JSF, Velocity, Struts, Tapestry, Spring, and Proprietary Frameworks
Example: Project: Analyze Patterns
Use to Implement:
- Synchronization Tokens as Anti-CSRF Mechanism
- Page-level authorizations
Avoid:
- XSLT and Xpath vulnerabilities
- XML Denial of Service
- Disclosure of information in SOAP faults
- Publishing WSDL files
- Unhandled commands
- Unauthorized commands
Project Goals
- Analyze patterns for security pitfalls to avoid
- Determine how patterns can implement security controls
- Provide advice portable to most frameworks
A security pattern is not the same as a security analysis of a pattern.
Uses
- Designing new web application frameworks (make the next generation of frameworks secure by default)
- Designing new apps that use the patterns
- Source code review of existing apps
- Runtime assessment of existing apps
- Integrate with threat modeling of new or existing apps
You can help:
- Tell developers
- Improve the analysis
Next Steps?
- Add code review and examples to the existing pattern book
- Look at other pattern books to see if there are other patterns that we should analyze
Our Dream
- New web application framework idea + Design-time security analysis = Secure-by-default web application framework
Oracle + BEA = ?
We use Oracle Application Server as our Java app server at NI. Yeah, yeah, I'll wait till you stop laughing.
Why not JBoss or WebLogic or WebSphere? Well, a couple reasons. We made the decision five years ago, and JBoss wasn't solid then, and we needed J2EE support so plain Tomcat wasn't enough. And we're a huge Oracle shop and figured that if we were using the same app server on the Web and our ERP tiers there'd be leverage in terms of developer knowledge etc. Would we make that same decision today? I'm not sure about that (I can hear my team members shouting "hell no" over the cube walls). Although since we've also gone with Oracle's SOA suite for ESB and BPEL it would be harder to switch. But still tempting - Oracle has done a horrible job in getting their app server supported by other vendors. Every time we buy something and look at the supported app server section of their support matrix, and we ask "What about Oracle's OAS?" we get expressions of mixed horror and pity from the supplier. (I liked it when the Chinese technical guy from one eComm vendor we had in responded to this question with, "You know, the Tomcat is good, and free! Maybe you use that!")
Anyway, Oracle bought BEA a while back, which got keen interest from us. Stay with Oracle *and* use a good app server that other people support? Tempting! But Oracle's been farting around for six months without coming out with a statement on what this will mean for the products. Oracle's finally done a Webcast describing their strategy. Well, it's half marketing and a celebration of how many million dollars they have. But there's also a lot of product strategy in there. I'll sum it up for you because the damn webcast is nearly two hours long, and I don't want other people to have to waste that much time on it. Unless you like to hear someone go on about "strategic clarity" and "customer profiles," in which case this is two hours of bliss for you and you should watch it. Although I also had the stream break a bunch of times while watching. Who the heck uses RealPlayer any more? Anyway, here's a list of the interesting product facts from the Webcast. Some are marked with their timestamp if you want to fast forward to them and see more.