Feeds

Aspect-oriented programming and security

Working together

Build a business case: developing custom apps

Comment Aspect-oriented programming (AOP) is a paradigm that is quickly gaining traction in the development world. At least partially spurred by the popularity of the Java Spring framework [1], people are beginning to understand the substantial benefits that AOP brings to development.

While several others have tied AOP to security [2][3], I aspire to raise awareness amongst my information security colleagues that AOP can have a substantially beneficial impact on application security. I'm convinced that, if more of us understand it, we'll be in a better place to work with developers to create secure applications and perhaps, more importantly add security into existing insecure applications.

What is AOP?

Many people don't really understand what AOP is. I used to think that AOP was a replacement for object-oriented programming (OOP), so I categorically rejected it without further examination. This notion is completely wrong: AOP compliments OOP. It centers on cross-cutting concerns, or aspects - parts of code that are common to many different objects, of which logging is the canonical example. Using an AOP language (such as AspectJ) or libraries (such as Spring), programmers can code this functionality once and then define where to weave it into existing objects. An example should help clarify this. Suppose we have the following Java classes:

Here we can see that logging functionality is exactly duplicated in two different classes. With AOP we do something like this (note syntax is simplified for clarity):

We now create a LogInterceptor aspect that we inject before and after any call to any Class (ignore details on how this injection happens for now, we'll discuss this shortly). We have essentially created a proxy for method calls. The important thing to note about this example is that both MyFirstClass and MySecondClass have no knowledge and no dependency on LogInterceptor. In a real application that logging code is probably replicated in hundreds of different class files, so centralizing it like this will reduce a substantial amount of source code. This has major ramifications, since we can now add security aspects to applications without having to modify existing code.

Security Implications

Several security-relevant cross-cutting concerns are found scattered throughout the application logic:

  • Logging
  • Access control
  • Error handling
  • Transaction management
  • Session management (in some cases)
  • Input/output validation

Using AOP, we can separate a good large chunk of these concerns from the code base and centralize them. Sure there will be some cases where centralization is not possible (e.g. very specific error handling), but by and large, AOP allows developers to concentrate on the elusive Plain Old Java Object (or whatever language you are using). A POJO is essentially the code that developers were taught to write from day one; code that only focuses on business logic and not other concerns such as input validation, logging, access control, and complex error handling. Cleaner code is less prone to bugs - including security bugs.

Another implication of this is that subject matter experts can be responsible for coding the security aspects. People who have been specifically trained, and have experience in a domain such as session management or access control, can handle the lion's share of that code in an entire project or one component of the project.

Maximizing your infrastructure through virtualization

More from The Register

next story
Whoah! How many Google Play apps want to read your texts?
Google's app permissions far too lax – security firm survey
Chrome browser has been DRAINING PC batteries for YEARS
Google is only now fixing ancient, energy-sapping bug
Do YOU work at Microsoft? Um. Are you SURE about that?
Nokia and marketing types first to get the bullet, says report
Microsoft takes on Chromebook with low-cost Windows laptops
Redmond's chief salesman: We're taking 'hard' decisions
EU dons gloves, pokes Google's deals with Android mobe makers
El Reg cops a squint at investigatory letters
Big Blue Apple: IBM to sell iPads, iPhones to enterprises
iOS/2 gear loaded with apps for big biz ... uh oh BlackBerry
OpenWRT gets native IPv6 slurping in major refresh
Also faster init and a new packages system
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.