What do you think?
Rate this book
CERT Oracle Secure Coding Standard for Java, The
“In the Java world, security is not viewed as an add-on a feature. It is a pervasive way of thinking. Those who forget to think in a secure mindset end up in trouble. But just because the facilities are there doesn’t mean that security is assured automatically. A set of standard practices has evolved over the years. The Secure® Coding® Standard for JavaTM is a compendium of these practices. These are not theoretical research papers or product marketing blurbs. This is all serious, mission-critical, battle-tested, enterprise-scale stuff.” ― James A. Gosling, Father of the Java Programming Language An essential element of secure coding in the Java programming language is a well-documented and enforceable coding standard. Coding standards encourage programmers to follow a uniform set of rules determined by the requirements of the project and organization, rather than by the programmer’s familiarity or preference. Once established, these standards can be used as a metric to evaluate source code (using manual or automated processes). The CERT® Oracle® Secure Coding Standard for JavaTM provides rules designed to eliminate insecure coding practices that can lead to exploitable vulnerabilities. Application of the standard’s guidelines will lead to higher-quality systems–robust systems that are more resistant to attack. Such guidelines are required for the wide range of products coded in Java–for devices such as PCs, game players, mobile phones, home appliances, and automotive electronics. After a high-level introduction to Java application security, seventeen consistently organized chapters detail specific rules for key areas of Java development. For each area, the authors present noncompliant examples and corresponding compliant solutions, show how to assess risk, and offer references for further information. Each rule is prioritized based on the severity of consequences, likelihood of introducing exploitable vulnerabilities, and cost of remediation. The standard provides secure coding rules for the Java SE 6 Platform including the Java programming language and libraries, and also addresses new features of the Java SE 7 Platform. It describes language behaviors left to the discretion of JVM and compiler implementers, guides developers in the proper use of Java’s APIs and security architecture, and considers security concerns pertaining to standard extension APIs (from the javax package hierarchy).The standard covers security issues applicable to these lang, util, Collections, Concurrency Utilities, Logging, Management, Reflection, Regular Expressions, Zip, I/O, JMX, JNI, Math, Serialization, and JAXP.
- GenresTechnologyProgramming
744 pages, Paperback
First published September 1, 2011
4 people are currently reading
47 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 4 of 4 reviews
Read
September 28, 2019Read this with a book club at work. It's a great book filled with lots of architecture and best design concepts. It's dfeinitely a book I'll need to go back and reread a couple times.
November 28, 2019
Really enjoyed it, it was surprisingly easy to read. Explained all the rules and principles well. I was thinking about our production code all the time WHILE reading it.
November 20, 2011
"The CERT Oracle Secure Coding Standard for Java." The name says it all. This is a book about security, no? Actually, it is not. It is a book about security and quality. The authors don't define security in quite the same way I do. For example calling string.replace() and ignoring the result is incorrect. However it is a quality issue. I'm not convinced the relationship to security.
In any case, the practices are excellent. They are clearly documented in the form of:
attack/flaw
bad code example
good code example
I think the code examples could have been a little clearer. Maybe highlight the differences between the two in longer snippets.
I particularly liked the tables where they show severity, likelihood, cost to fix, priority and level. I also like that they call attention to which can be easily found by static analysis.
The focus is on core Java (not JEE/web) and a lot of emphasis is placed on threading. The book calls attention to different versions of Java and includes Java 7. Overall a worthwhile addition to the bookshelf.
---
Disclosure: I received a copy of this book from the publisher in exchange for writing this review on behalf of CodeRanch.
In any case, the practices are excellent. They are clearly documented in the form of:
attack/flaw
bad code example
good code example
I think the code examples could have been a little clearer. Maybe highlight the differences between the two in longer snippets.
I particularly liked the tables where they show severity, likelihood, cost to fix, priority and level. I also like that they call attention to which can be easily found by static analysis.
The focus is on core Java (not JEE/web) and a lot of emphasis is placed on threading. The book calls attention to different versions of Java and includes Java 7. Overall a worthwhile addition to the bookshelf.
---
Disclosure: I received a copy of this book from the publisher in exchange for writing this review on behalf of CodeRanch.
December 18, 2013
This book must be read by Java Application Developers who cares about vulnerability.
Displaying 1 - 4 of 4 reviews