[aosd-discuss] Security of web applications in production

[Rohit Lists]

Hello, I am a consultant specializing in application security focused
on security of J2EE web applicaitons. I've been designing course
content for the SANS institute and my company (Security Compass) on
how to program security into web applications and I've started to
introduce concepts of using AOP to bridge security gaps in poorly
designed systems (e.g. input validation and authorization).

Since being introduced to it by way of the Spring Framework, I have
been very interested it real-world applications of security in web
applications. I wrote an article on Security Focus (a popular portal
for security professionals) to try and spread the word about AOP -
http://www.securityfocus.com/infocus/1895. My colleague Nish Bhalla
and I are also presenting a talk on the subject at a couple of major
industry conferences this year (e.g.
https://cm.rsaconference.com/US08/catalog/profile.do?form=searchform&ts=1202241146597&SESSION_ID=3405).

As you are no doubt aware, many people in industry approach AOP with a
great deal of sketicism until they are shown real, concrete examples
of how and why it's useful. I will be in a position to recommend AOP
to quite a few different companies, but they will all ask the same
inevitable questions and I was wondering if you could help with any
relevant information:

1. What is the performance impact of using a framework like Aspect J
in real, production web applications used by large organizations (e.g.
benchmark studies, case studies, etc.)?
2. How long have such applications been in production?

Without satisfactory answers to these questions, most of my clients
will not take the suggestion to use AOP very seriously.

Thanks in advance for any help that you can provide,

Rohit Sethi
Manager, Professional Services
Security Compass
http://www.securitycompass.com