“Security Patterns revealed” Talk at Devoxx08

December 18th, 2008 by nils

This talk was given by Mike Wiesner, Senior Consultant at SpringSource.

Missing input validation is the root of all evil!
– Mike Wiesner, Devoxx 2008

Mike started by showing an overview of the most important security threats in web applications. The top three are cross-site scripting, SQL injection and directory traversal (Example). In other words, by paying attention to proper input validation in your web application, you can prevent about 80% of potential security issues.

He talked in depth about the following patterns:

Intercepting Validator

  • Client-side validation is just a way to make the application more user friendly, it can not replace server side validation
  • JSR 303 – Bean Validation -> AOP can be used as Intercepting Validator

Single Accesss Point

  • Reference Monitor with AOP
  • security is applied by annotations on method level
  • advantage is that you can test security and functionality separately -> security tests don’t execute application logic and security can be disabled for functional tests

These are a few other patterns he mentioned:

  • Role Based Access Control or Role Based Security (Wikipedia article)
  • Role-Rights Definition
  • Controlled Object Factory
  • Data Driven Security
  • Multi-Level Security
  • Security Session

An other interesting thing he mentioned is XACML, a security policy management standard from OASIS that defines security policies in XML.

Apart from the patterns, that are definitely worth looking at, what I took home from this talk is that the most important thing when implementing security is to think. Patterns are just abstract ideas to help creating a good design for your application. They are not blue prints that can be applied blindly.