Difference between revisions of "Category:OWASP Security Analysis of Core J2EE Design Patterns Project"

From OWASP
Jump to: navigation, search
(Added link to the project leads podcast episode)
(34 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
==== Main ====
 
==== Main ====
= Project Roadmap =
 
* The project’s overall goal is to...
 
** Be a design-time security reference for developers implementing common patterns independent of specific platforms and frameworks. Pattern usage is ubiquitous in software development, and the best patterns transcend specific languages and/or frameworks; analyzing the most pivotal frameworks in web applications allows us to build security advice that developers will use far in the future. At the same time, analyzing common patterns helps manual penetration testers and source code reviewers understand where to look for vulnerabilities within an application.
 
  
* In the near term, we are focused on the following tactical goals...
+
=== Introduction ===
  
1. Convert existing Core J2EE Patterns analysis word document into wiki format,
+
<p>Most application security experts focus on a single activity for integrating design into the SDLC: threat modeling . Threat modeling is excellent at approximating an application’s attack surface but, in our experience, developers sometimes do not have the time, budget or security know-how to build an adequate threat model. Perhaps more importantly, developers cannot create a comprehensive threat model until they complete the application design.</p>
  
2. Solicit feedback and add additional advice to each pattern,
+
<p>This reference guide aims at dispensing security best practices to developers to make security decisions during design. We focus on one of the most important concepts in modern software engineering: design patterns. Ever since the publication of the seminal Design Patterns Book , developers have reused common patterns such as Singleton and Factory Method in large-scale software projects. Design patterns offer a common vocabulary to discuss application design independent of implementation details.
 +
One of the most critically acclaimed pattern collections in the Java Enterprise Edition (JEE) community is the Core J2EE Patterns book  by Deepak Alur, Dan Malks and John Crupi  . Developers regularly implement patterns such as “Application Controller”, “Data Access Object” or “Session Façade” in large, distributed JEE applications and in frameworks such as Spring  and Apache Struts . We aim to dispense security best practices so that developers can introduce security features and avoid vulnerabilities independent of their underlying technology choices such as which Model View Controller (MVC) framework to use.</p>
  
3. Determine next steps in group:
+
<p>Java developers currently have access to patterns for security code (e.g. how to develop authentication, how to implement cryptography) such as the Core Security Patterns book. We hope our guide will help address the critical shortage of advice on securely coding using existing design patterns. Your feedback is critical to improving the quality and applicability of the best practices listed in the Security Analysis of Core J2EE Design Patterns. Please contact the mailing list at owasp_security_analysis_j2ee@lists.owasp.org with comments or questions and help improve the guide for future developers.</p>
  
3.1. Add source code examples,
 
  
3.2. Start reviewing other patterns, such as Patterns of Enterprise  Application Architecture, Enterprise Integration Patterns, or .Net Patterns.
+
The project is broken up into three categories:
 +
*[[:Category:OWASP Security Analysis of Core J2EE Design Patterns Project/PresentationTier|Presentation Tier Patterns]]
 +
*[[:Category:OWASP Security Analysis of Core J2EE Design Patterns Project/BusinessTier|Business Tier Patterns]]
 +
*[[:Category:OWASP Security Analysis of Core J2EE Design Patterns Project/EISTier|EIS Tier Patterns]]
  
  
 +
''Hear the project lead talk about this project on [http://www.owasp.org/index.php/Podcast_40 OWASP Podcast #40]''
  
 +
==Downloadable Versions==
 +
You can download the OWASP Security Analysis of Core J2EE Design Patterns here:
 +
 +
* [https://www.owasp.org/index.php/File:Security_Analysis_of_Core_JEE_Design_Patterns_v0.1.doc Editable DOC Version]
 +
 +
* [http://www.owasp.org/index.php/File:Security_Analysis_of_Core_JEE_Design_Patterns_v0.01.pdf PDF Version]
 +
 +
The source for the images used in the patterns can be downloaded [http://www.owasp.org/index.php/File:Secure_pattern_images.ppt here]
  
 
==== Project Identification ====
 
==== Project Identification ====
{{Template:OWASP Security Analysis of Core J2EE Design Patterns Project}}
+
{{Template:OWASP Security Analysis of Core J2EE Design Patterns Project - GPC Tab}}
  
[[Category:OWASP Project]]
+
[[Category:OWASP Project|Security Analysis of Core J2EE Design Patterns Project]]
 
[[Category:OWASP Document]]
 
[[Category:OWASP Document]]
 
[[Category:OWASP Alpha Quality Document]]
 
[[Category:OWASP Alpha Quality Document]]
Line 28: Line 37:
 
__NOTOC__
 
__NOTOC__
 
<headertabs/>
 
<headertabs/>
 +
 +
''''' Project's License:''''' [http://www.gnu.org/licenses/gpl-3.0.html '''GPL v3''']

Revision as of 10:32, 1 October 2009

Main

Introduction

Most application security experts focus on a single activity for integrating design into the SDLC: threat modeling . Threat modeling is excellent at approximating an application’s attack surface but, in our experience, developers sometimes do not have the time, budget or security know-how to build an adequate threat model. Perhaps more importantly, developers cannot create a comprehensive threat model until they complete the application design.

This reference guide aims at dispensing security best practices to developers to make security decisions during design. We focus on one of the most important concepts in modern software engineering: design patterns. Ever since the publication of the seminal Design Patterns Book , developers have reused common patterns such as Singleton and Factory Method in large-scale software projects. Design patterns offer a common vocabulary to discuss application design independent of implementation details. One of the most critically acclaimed pattern collections in the Java Enterprise Edition (JEE) community is the Core J2EE Patterns book by Deepak Alur, Dan Malks and John Crupi . Developers regularly implement patterns such as “Application Controller”, “Data Access Object” or “Session Façade” in large, distributed JEE applications and in frameworks such as Spring and Apache Struts . We aim to dispense security best practices so that developers can introduce security features and avoid vulnerabilities independent of their underlying technology choices such as which Model View Controller (MVC) framework to use.

Java developers currently have access to patterns for security code (e.g. how to develop authentication, how to implement cryptography) such as the Core Security Patterns book. We hope our guide will help address the critical shortage of advice on securely coding using existing design patterns. Your feedback is critical to improving the quality and applicability of the best practices listed in the Security Analysis of Core J2EE Design Patterns. Please contact the mailing list at owasp_security_analysis_j2ee@lists.owasp.org with comments or questions and help improve the guide for future developers.


The project is broken up into three categories:


Hear the project lead talk about this project on OWASP Podcast #40

Downloadable Versions

You can download the OWASP Security Analysis of Core J2EE Design Patterns here:

The source for the images used in the patterns can be downloaded here

Project Identification

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What does this OWASP project release offer you?
what is this project?
OWASP Security Analysis of Core J2EE Design Patterns Project

Purpose: To analyze popular design and architectural patterns for potential security issues, including advice on common pitfalls to avoid and where in a pattern to implement common security controls. Note that we are not creating new “security patterns” but rather analyzing existing non-security-specific patterns.

Project License: GPL v3

who is working on this project?
Project Leader: Rohit Sethi

Project Maintainer: Rohit Sethi, Jim Manico

Project Contributor(s): Sahba Kazerooni, Krish Raja, Subu Ramanathan, Oliver Lavery, Frank Kim

how can you learn more?

3x slide presentation: To view, click here

Project Flyer/Pamphlet: To view, click here

Mail list: Subscribe or read the archives

Project Roadmap: To view, click here

Project main links: To view, click here

Project Health: Yellow button.JPG Not reviewed

Reviewed under: Assessment Criteria v2.0

Key Contacts
  • Contact Rohit Sethi to contribute to this project,
  • Contact Rohit Sethi or GPC to review or sponsor this project,
  • Contact GPC to report a problem or concern about this project or to update information.
current Release

Name: FIRST RELEASE - July 2009 - download

Release Leader: Rohit Sethi

Release details: Main links, release roadmap and assessment

Release Rating: Yellow button.JPG Not reviewed/Targeted at Stable Release
Reviewed under Assessment Criteria v2.0



Project's License: GPL v3

This category currently contains no pages or media.