Channel

This article is more than 1 year old

Aspect-oriented programming and security

Working together

Wed 31 Oct 2007 // 19:35 UTC

What's next?

The potential uses for Aspect-oriented programming in application security are enormous. Here are a couple of other applications AOP in security:

Implement access control independently of application logic. Instead of having explicit checks such as checkAccess(User) in each sensitive function, you can achieve this through aspects and let developers focus on business logic
Implement application security policies such as explicitly forbidding programmers from calling dynamic SQL libraries (e.g. executeQuery()). Whenever that library is called, you can use aspects to throw an exception and record exactly where the offending call came from

Developers are already moving towards adopting AOP. JBoss, WebSphere, and WebLogic either have existing functionality to integrate AOP or have made announcements to do so in the future. Now the application security community needs to follow suit by providing guidance on how AOP can be used in a security context.

We can achieve this by ensuring we add AOP to our application security training curriculums (something we’ve included in our new class for SANS, and I hope other training companies do the same), do more research on how AOP works at securing applications in production (including benchmarks for performance impact), and providing more example code for developers to learn from.

Footnotes

Aspect-oriented programming with Spring; Spring Framework
Applying Aspect-Oriented Programming to Security; Viega, Bloch, and Chandra; Cutter IT Journal
Towards a security aspect for Java; Farías, Andrés
AspectJ
AsjectJ Development Tools
Using AspectJ with Spring Applications; Spring Framework Reference Guide

Data Validation, OWASP,

      public class MyFirstClass {
      public void amethod (String bar) {
                Logger.doLoggingBefore();
                //business logic goes here
                Logger.doLoggingAfter();
        }
      }
      public class MySecondClass {
        public void function (Object arg) {
                Logger.doLoggingBefore();
                //business logic goes here
                Logger.doLoggingAfter();
        }
      }
      public aspect LogInterceptor { 

      public Object invoke(){
      Logger.doLoggingBefore();
                method.execute(); 
                Logger.doLoggingAfter();
          }
      }
      public class MySecondClass {
        public void function (Object arg) {
                //business logic goes here
        }
      }
      public class MyFirstClass {
        public void amethod (String bar) {            
                //business logic goes here
        }

This article originally appeared in Security Focus.

Page:

← Prev
1
2
3
4

More about

COMMENTS

TIP US OFF

Send us news

Topics

Special Features

Vendor Voice

Resources

Channel

Aspect-oriented programming and security

Working together

What's next?

Footnotes

More about

TIP US OFF

Other stories you might like

Micron says it's first to QLC NAND with over 200 layers

Change Healthcare’s ransomware attack costs edge toward $1B so far

Blackstone wants to plug hyperscale datacenter into former Britishvolt battery site

Protecting distributed branch office environments from ransomware

Google location tracking deal could be derailed by politics

KPMG bags £8.5M NHS gig as cheerleader for Federated Data Platform rollout

AI cloud startup TensorWave bets AMD can beat Nvidia

Intel's effort to build a foundry biz is costing far more – and taking longer – than expected

NASA needs new ideas and tech to get Mars Sample Return mission off the ground

Broadcom throws VMware customers on perpetual licenses a lifeline

Alibaba Cloud reveals network telemetry tool that helped cut number of engineers needed by 86%

OpenAI launches Asian operations in Tokyo to avoid being lost in translation

About Us

Our Websites

Your Privacy