text.skipToContent text.skipToNavigation
  1. Home
  2. Computer Science & IT
  3. CERT Oracle Secure Coding Standard for Java, The

CERT Oracle Secure Coding Standard for Java, The, 1st edition

  • Fred Long
  • Dhruv Mohindra
  • Robert C. Seacord
  • Dean F. Sutherland
  • David Svoboda

Published by Addison-Wesley Professional (September 8th 2011) - Copyright © 2012

1st edition

Chosen format
View all
CERT Oracle Secure Coding Standard for Java, The

ISBN-13: 9780132882866

Includes: Unassigned

This product is not available in your country

What's included

  • Unassigned


Table of contents

Foreword         xvii

Preface         xix

Acknowledgments         xxxi

About the Authors         xxxiii


Chapter 1: Introduction         1

Misplaced Trust   2

Injection Attacks   2

Leaking Sensitive Data   4

Leaking Capabilities   6

Denial of Service   7

Serialization   10

Concurrency, Visibility, and Memory   11

Principle of Least Privilege   18

Security Managers   19

Class Loaders   21

Summary   21


Chapter 2: Input Validation and Data Sanitization (IDS)   23

Rules   23

Risk Assessment Summary   24

IDS00-J. Sanitize untrusted data passed across a trust boundary   24

IDS01-J. Normalize strings before validating them   34

IDS02-J. Canonicalize path names before validating them   36

IDS03-J. Do not log unsanitized user input   41

IDS04-J. Limit the size of files passed to ZipInputStream   43

IDS05-J. Use a subset of ASCII for file and path names   46

IDS06-J. Exclude user input from format strings   48

IDS07-J. Do not pass untrusted, unsanitized data to the Runtime.exec() method   50

IDS08-J. Sanitize untrusted data passed to a regex   54

IDS09-J. Do not use locale-dependent methods on locale-dependent data without specifying the appropriate locale   59

IDS10-J. Do not split characters between two data structures   60

IDS11-J. Eliminate noncharacter code points before validation   66

IDS12-J. Perform lossless conversion of String data between differing character encodings   68

IDS13-J. Use compatible encodings on both sides of file or network I/O   71


Chapter 3: Declarations and Initialization (DCL)         75

Rules   75

Risk Assessment Summary   75

DCL00-J. Prevent class initialization cycles   75

DCL01-J. Do not reuse public identifiers from the Java Standard Library   79

DCL02-J. Declare all enhanced for statement loop variables final   81


Chapter 4: Expressions (EXP)         85

Rules   85

Risk Assessment Summary   85

EXP00-J. Do not ignore values returned by methods   86

For teachers

All the material you need to teach your courses.

Discover teaching material