1. Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Security Analysis of the Core J2EE Patterns Rohit Sethi Security Compass rohit@securitycompass.com Education Project

2. OWASP 2 Overview  Project to analyze the popular Core J2EE Patterns for security  Design-time activity aimed at pointing out common security pitfalls and proper ways to implement security within design patterns  Originally a white paper – donated to OWASP by Security Compass

3. OWASP Objectives  Provide mechanism to disseminate security advice independent of the underlying framework (e.g. Struts, Spring, custom MVC, etc.)  Speak to software designers in a language they understand and use to communicate design concepts (i.e. design patterns)  Aid security reviewers in where to look within a large, complex Java EE application for common security issues 3

4. OWASP Status and Future Objectives  Current release contains initial write-up  Currently soliciting additional security advice from application security community  Future objectives:  Add example source code .Net pattern analysis  Fowler Patterns of Enterprise Application Architecture analysis  Enterprise Integration Patterns analysis  Emerging (e.g. Web 2.0) pattern analysis 4