Today Krish Raja, Sahba Kazerooni, and I are releasing a Security Analysis of the Core J2EE Patterns. In our view, this sort of analysis is long overdue: software vendors, enterprise developers, and the open source community all use patterns judiciously. While developers have access to patterns about security, they rarely have access to a security analysis of non-security-specific patterns.
This beta release outlines our security analysis: we’d love to hear your feedback to improve the quality of our analysis. In future releases, we intend to include source code examples to help elucidate the concepts we describe.