Application security gap analysis in Struts2

[Arshan Dabirsiaghi <ar...@aspectsecurity.com>]

Struts2 folks,
 
The Intrinsic Security Working Group (ISWG) at OWASP (http://www.owasp.org) has been researching what security countermeasures an application architect or technical lead must plan for when creating a Struts2 application. The result of this research is a document that we are looking for feedback about from the Struts2 community of users and developers.
 
Mainly, we wanted to research what web application attacks developers of Struts2 applications would have to compensate for, and what, if any, security improvements could be made to the Struts2 framework to enable more secure web applications. 
 
The document is located here:
http://www.owasp.org/images/b/be/A_Gap_Analysis_of_Application_Security_in_Struts2.pdf
 
We look forward to your feedback. There are a million applications written with Struts1 out there, and before all the large enterprises start pumping out the next generation of applications in Struts2, we want to make sure we've done our due diligence.
 
Again, the purpose of this research was not to find vulnerabilities in Struts2, but to see how we could improve the framework to enable more secure applications.
 
Thanks for your time,
Arshan Dabirsiagh