{"id":332,"date":"2009-11-13T09:45:24","date_gmt":"2009-11-13T14:45:24","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=332"},"modified":"2009-11-13T09:29:51","modified_gmt":"2009-11-13T14:29:51","slug":"securing-the-core-jee-patterns","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/13\/securing-the-core-jee-patterns\/","title":{"rendered":"Securing the Core JEE Patterns"},"content":{"rendered":"<p>This presentation was by Rohit Sethi, the Project Leader for the Secure Pattern Analysis Project at OWASP and he works at Security Compass, a security analysis and training company.\u00a0 My notes from the session are below:<\/p>\n<ul>\n<li>Before anyone starts building complex systems, they need to design.<\/li>\n<li>We create threat models on completed designs.<\/li>\n<li>What about during design?<\/li>\n<li>Book: &#8220;Core J2EE Patterns Best Practices and Design Strategies&#8221;<\/li>\n<li>If you use J2EE development, chances are you&#8217;re using patterns documented here<\/li>\n<li>Core J2EE patterns are used extensively<\/li>\n<li>Patterns are used in JSF, Velocity, Struts, Tapestry, Spring, and Proprietary Frameworks<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Example: Project: Analyze Patterns<\/strong><\/span><\/p>\n<p>Use to Implement:<\/p>\n<ul>\n<li>Synchronization Tokens as Anti-CSRF Mechanism<\/li>\n<li>Page-level authorizations<\/li>\n<\/ul>\n<p>Avoid:<\/p>\n<ul>\n<li>XSLT and Xpath vulnerabilities<\/li>\n<li>XML Denial of Service<\/li>\n<li>Disclosure of information in SOAP faults<\/li>\n<li>Publishing WSDL files<\/li>\n<li>Unhandled commands<\/li>\n<li>Unauthorized commands<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Project Goals<\/strong><\/span><\/p>\n<ul>\n<li>Analyze patterns for security pitfalls to avoid<\/li>\n<li>Determine how patterns can implement security controls<\/li>\n<li>Provide advice portable to most frameworks<\/li>\n<\/ul>\n<p>A security pattern is not the same as a security analysis of a pattern.<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Uses<\/strong><\/span><\/p>\n<ul>\n<li>Designing new web application frameworks (make the next generation of frameworks secure by default)<\/li>\n<li>Designing new apps that use the patterns<\/li>\n<li>Source code review of existing apps<\/li>\n<li>Runtime assessment of existing apps<\/li>\n<li>Integrate with threat modeling of new or existing apps<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>You can help:<\/strong><\/span><\/p>\n<ul>\n<li>Tell developers<\/li>\n<li>Improve the analysis<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Next Steps?<\/strong><\/span><\/p>\n<ul>\n<li>Add code review and examples to the existing pattern book<\/li>\n<li>Look at other pattern books to see if there are other patterns that we should analyze<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Our Dream<\/strong><\/span><\/p>\n<ul>\n<li>New web application framework idea + Design-time security analysis = Secure-by-default web application framework<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>This presentation was by Rohit Sethi, the Project Leader for the Secure Pattern Analysis Project at OWASP and he works at Security Compass, a security analysis and training company.\u00a0 My notes from the session are below: Before anyone starts building complex systems, they need to design. We create threat models on completed designs. What about [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[307,4],"tags":[157,162,338,340,94,339,342,341,163,133,90,337,622,89],"class_list":["post-332","post","type-post","status-publish","format-standard","hentry","category-owasp-appsec-dc-2009","category-web-app-sec","tag-analysis","tag-best","tag-core","tag-design","tag-j2ee","tag-jee","tag-pattern","tag-patterns","tag-practices","tag-project","tag-secure","tag-securing","tag-security","tag-strategies"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-5m","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/332","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=332"}],"version-history":[{"count":4,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/332\/revisions"}],"predecessor-version":[{"id":348,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/332\/revisions\/348"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=332"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=332"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=332"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}