Missing input validation is the root of all evil!
- Mike Wiesner, Devoxx 2008

Mike started by showing an overview of the most important security threats in web applications. The top three are cross-site scripting, SQL injection and directory traversal (Example). In other words, by paying attention to proper input validation in your web application, you can prevent about 80% of potential security issues.

He talked in depth about the following patterns:

Intercepting Validator

• Client-side validation is just a way to make the application more user friendly, it can not replace server side validation
• JSR 303 – Bean Validation -> AOP can be used as Intercepting Validator

Single Accesss Point

• Reference Monitor with AOP
• security is applied by annotations on method level
• advantage is that you can test security and functionality separately -> security tests don’t execute application logic and security can be disabled for functional tests

These are a few other patterns he mentioned:

• Role Based Access Control or Role Based Security (Wikipedia article)
• Role-Rights Definition
• Controlled Object Factory
• Data Driven Security
• Multi-Level Security
• Security Session

An other interesting thing he mentioned is XACML, a security policy management standard from OASIS that defines security policies in XML.

Apart from the patterns, that are definitely worth looking at, what I took home from this talk is that the most important thing when implementing security is to think. Patterns are just abstract ideas to help creating a good design for your application. They are not blue prints that can be applied blindly.