Application security is becoming increasingly important in Java. In this paper, we focus on security issues that frequently occur in enterprise Java components. We describe two commonly violated security patterns and show how such violations can be prevented with static analysis of the application source. We describe our techniques and experimentally evaluate them on a set of 10 large open-source Java applications totalling over 130,000 lines of code. Our current approach allows us to successfully find 22 real security errors. Finally, we outline limitations of the current approach as well future work that will allow us to increase our analysis coverage and detect more errors.
|