Some weeks ago we prepared a short survey about security aspects in Java-based web applications. We got 41 answers that allowed us to shed some lights on 1) the importance of security aspects according to Java web developers 2) how they define and use the access-control mechanisms to manage them 3) the main security properties they consider when doing it. You can find the full data of the responses at the following link. For a summary of the main conclusions we can draw from the data keep reading!
Importance of specifying security (access-control) aspects in Java web applications
How critical are security aspects in the development of web applications?
How security aspects are defined?
How difficult do you find the definition of access-control policies in Java EE applications?
Access-control is very often implemented using the deployment descriptor, direct calls to the security Java EE API and other security frameworks beyond Java EE. On the other hand, code annotations are scarcely used. In particlar 68% respondents either never or rarely used it.
What security properties are more relevant?
Among the different risks that could affect a Java-based web application, having private resources involutarily exposed (reachability) and access-control policies accidentally hiding other ones (shadowing) are perceived as really important by around 93% (38/41) and 83% (34/41) responders respectively.
On the other hand, having reduntant access-control policies (redundancy) does not entail a big security risks for more than 51% (21/41) of the respondents. However, around a large majority of the respondents think that reachability (66%), shadowing (63%) and redundancy (68%) are security properties that are likely to be violated while putting in place an access-control policy.
Would you find useful an automatic tool for detecting violations in the security policies?
These results point out that the definition of security policies is perceived as an important activity by developers, but at the same time it is complex and error prone. Thus, a tool could be come in handy to help Java EE developers setting up error-safe security policies. We’re working on it!