Category:OWASP Security Analysis of Core J2EE Design Patterns Project

Introduction
Most application security experts focus on a single activity for integrating design into the SDLC: threat modeling. Threat modeling is excellent at approximating an application’s attack surface but, in our experience, developers sometimes do not have the time, budget or security know-how to build an adequate threat model. Perhaps more importantly, developers cannot create a comprehensive threat model until they complete the application design.

This reference guide aims at dispensing security best practices to developers to make security decisions during design. We focus on one of the most important concepts in modern software engineering: design patterns. Ever since the publication of the seminal Design Patterns Book, developers have reused common patterns such as Singleton and Factory Method in large-scale software projects. Design patterns offer a common vocabulary to discuss application design independent of implementation details. One of the most critically acclaimed pattern collections in the Java Enterprise Edition (JEE) community is the Core J2EE Patterns book by Deepak Alur, Dan Malks and John Crupi. Developers regularly implement patterns such as “Application Controller”, “Data Access Object” or “Session Façade” in large, distributed JEE applications and in frameworks such as Spring and Apache Struts. We aim to dispense security best practices so that developers can introduce security features and avoid vulnerabilities independent of their underlying technology choices such as which Model View Controller (MVC) framework to use.

Java developers currently have access to patterns for security code (e.g. how to develop authentication, how to implement cryptography) such as the Core Security Patterns book. We hope our guide will help address the critical shortage of advice on securely coding using existing design patterns. Your feedback is critical to improving the quality and applicability of the best practices listed in the Security Analysis of Core J2EE Design Patterns. Please contact the mailing list at owasp_security_analysis_j2ee@lists.owasp.org with comments or questions and help improve the guide for future developers.

The project is broken up into three categories:
 * Presentation Tier Patterns
 * Business Tier Patterns
 * EIS Tier Patterns

Hear the project lead talk about this project on OWASP Podcast #40

Downloadable Versions
You can download the OWASP Security Analysis of Core J2EE Design Patterns here:


 * Editable DOC Version


 * PDF Version

The source for the images used in the patterns can be downloaded

Project Identification
 Project's License: GPL v3