The CERT Oracle Secure Coding Standard for JavaAddison-Wesley Professional, 2012 - Всего страниц: 699 "In the Java world, security is not viewed as an add-on a feature. It is a pervasive way of thinking. Those who forget to think in a secure mindset end up in trouble. But just because the facilities are there doesn't mean that security is assured automatically. A set of standard practices has evolved over the years. The Secure(R) Coding(R) Standard for Java(TM) is a compendium of these practices. These are not theoretical research papers or product marketing blurbs. This is all serious, mission-critical, battle-tested, enterprise-scale stuff." --James A. Gosling, Father of the Java Programming Language An essential element of secure coding in the Java programming language is a well-documented and enforceable coding standard. Coding standards encourage programmers to follow a uniform set of rules determined by the requirements of the project and organization, rather than by the programmer's familiarity or preference. Once established, these standards can be used as a metric to evaluate source code (using manual or automated processes). The CERT(R) Oracle(R) Secure Coding Standard for Java(TM) provides rules designed to eliminate insecure coding practices that can lead to exploitable vulnerabilities. Application of the standard's guidelines will lead to higher-quality systems-robust systems that are more resistant to attack. Such guidelines are required for the wide range of products coded in Java-for devices such as PCs, game players, mobile phones, home appliances, and automotive electronics. After a high-level introduction to Java application security, seventeen consistently organized chapters detail specific rules for key areas of Java development. For each area, the authors present noncompliant examples and corresponding compliant solutions, show how to assess risk, and offer references for further information. Each rule is prioritized based on the severity of consequences, likelihood of introducing exploitable vulnerabilities, and cost of remediation. The standard provides secure coding rules for the Java SE 6 Platform including the Java programming language and libraries, and also addresses new features of the Java SE 7 Platform. It describes language behaviors left to the discretion of JVM and compiler implementers, guides developers in the proper use of Java's APIs and security architecture, and considers security concerns pertaining to standard extension APIs (from the javax package hierarchy).The standard covers security issues applicable to these libraries: lang, util, Collections, Concurrency Utilities, Logging, Management, Reflection, Regular Expressions, Zip, I/O, JMX, JNI, Math, Serialization, and JAXP. |
Содержание
Chapter 1 Introduction | 1 |
23 | |
Chapter 3 Declarations and Initialization DCL | 75 |
Chapter 4 Expressions EXP | 85 |
Chapter 5 Numeric Types and Operations NUM | 105 |
Chapter 6 Object Orientation OBJ | 151 |
Chapter 7 Methods MET | 209 |
Chapter 8 Exceptional Behavior ERR | 255 |
Chapter 12 Thread Pools TPS | 417 |
Chapter 13 ThreadSafety Miscellaneous TSM | 441 |
467 | |
Chapter 15 Serialization SER | 527 |
Chapter 16 Platform Security SEC | 569 |
Chapter 17 Runtime Environment ENV | 603 |
Chapter 18 Miscellaneous MSC | 625 |
Glossary | 669 |
Chapter 9 Visibility and Atomicity VNA | 301 |
Chapter 10 Locking LCK | 331 |
Chapter 11 Thread APIs THI | 387 |
References | 677 |
693 | |
Другие издания - Просмотреть все
The CERT Oracle Secure Coding Standard for Java Fred Long,Dhruv Mohindra,Robert C. Seacord,Dean F. Sutherland,David Svoboda Ограниченный просмотр - 2011 |
Часто встречающиеся слова и выражения
args attacker Automated Detection Bibliography API 2006 Bloch boolean byte catch IOException CERT C Secure checks class loader compliant solution Consequently constructor Cost Priority Level declared default deserialization double-checked locking ensure Example This noncompliant exception execution field finally block floating-point Forward to handler Goetz Helper immutable objects implements initialized inner classes input instance Integer interface invoked Java Programming Language Java SE Lazy initialization Likelihood probable Remediation Likelihood Remediation Cost lock object malicious medium P4 L3 method mutable MySingleton noncompliant code example null operations perform private final probable medium probable Remediation Cost public class public final class public static void Remediation Cost Priority result return false Rule Severity Likelihood Runnable Secure Coding Standard security manager Serializable serialized Severity Likelihood Remediation Solution This compliant static void main(String strictfp String subclass synchronized thread pool thread-safe throws IOException untrusted code validation variable volatile volatile variable vulnerability