Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Security Analysis of the Core J2EE Patterns Rohit Sethi Security Compass Education Project
OWASP 2 Overview Project to analyze the popular Core J2EE Patterns for security Design-time activity aimed at pointing out common security pitfalls and proper ways to implement security within design patterns Originally a white paper – donated to OWASP by Security Compass
OWASP Objectives Provide mechanism to disseminate security advice independent of the underlying framework (e.g. Struts, Spring, custom MVC, etc.) Speak to software designers in a language they understand and use to communicate design concepts (i.e. design patterns) Aid security reviewers in where to look within a large, complex Java EE application for common security issues 3
OWASP Status and Future Objectives Current release contains initial write-up Currently soliciting additional security advice from application security community Future objectives: Add example source code .Net pattern analysis Fowler Patterns of Enterprise Application Architecture analysis Enterprise Integration Patterns analysis Emerging (e.g. Web 2.0) pattern analysis 4