The Anti-Pattern

80%

The Anti-Pattern

input = GET[ “username” ]

statement = “code “ + input

execute( statement )

The Anti-Pattern

• sql• ldap• eval• response.write• file.open• reflection• control.the.computer

INPUT

EXECUTE

Anti-AntiPatterns

Code not Text!

Text query languages suck.

Critera & Entity API: WIN

Code not Text

Root<Pet> pet = cq.from(Pet.class)cq.where(cb.equals(pet.get(Pet_.name), input))

s = “SELECT FROM pet WHERE pet.name =“ + inputexecuteSQL( s )

Fear String.Concat

Parameterized Queries: use wildcards instead of concatenating user input

Remove String.Concat

s = “SELECT FROM pet WHERE pet.name = @name“ps = prepare( s )ps.bind(“@name”, input)

s = “SELECT FROM pet WHERE pet.name =“ + inputexecuteSQL( s )

Defensein depth

INPUT

EXECUTE

GUARD Exception

Defense in Depth

input = GET[ “username” ]

if (whitelist.bad( input )) { secLog(“reject…”) throw new Exception()}

Summary

• Most common security coding vulns are variants of the same anti-pattern

• Use easy safe-by-design API– Entity & Criteria API – SQLi is hard =)

• Fear String.Concat– String operations are the mother of all evil– Parameterize if you must stick to text!

• Defend in Depth! – The anti-pattern can also be broken by input

validation.