This talk was given by Mike Wiesner, Senior Consultant at SpringSource.
Missing input validation is the root of all evil!
- Mike Wiesner, Devoxx 2008
Mike started by showing an overview of the most important security threats in web applications. The top three are cross-site scripting, SQL injection and directory traversal (Example). In other words, by paying attention to proper input validation in your web application, you can prevent about 80% of potential security issues.
He talked in depth about the following patterns:
- Client-side validation is just a way to make the application more user friendly, it can not replace server side validation
- JSR 303 – Bean Validation -> AOP can be used as Intercepting Validator
Single Accesss Point
- Reference Monitor with AOP
- security is applied by annotations on method level
- advantage is that you can test security and functionality separately -> security tests don’t execute application logic and security can be disabled for functional tests
These are a few other patterns he mentioned:
- Role Based Access Control or Role Based Security (Wikipedia article)
- Role-Rights Definition
- Controlled Object Factory
- Data Driven Security
- Multi-Level Security
- Security Session
An other interesting thing he mentioned is XACML, a security policy management standard from OASIS that defines security policies in XML.
Apart from the patterns, that are definitely worth looking at, what I took home from this talk is that the most important thing when implementing security is to think. Patterns are just abstract ideas to help creating a good design for your application. They are not blue prints that can be applied blindly.