Rules for Securing Your Java Code
by Dalila Mekhaldi
A group of specialized writers in the software security domain wrote The Cert Oracle Secure Coding Standard for Java. All of them have research and scientific Cert activities at Carnegie Mellon University’s Software Engineering Institute. Their book presents a set of security practices that should ensure secure Java coding, as was expected when this language was originally designed.
The authors present standard as rules that programmers should observe when writing code, especially when core libraries are included, such as lang, util, I/O, and XML JAXP. The rules aim at coding practices that might lead to vulnerabilities. Applying them will result in Java applications with higher quality features, such as robustness and maintainability. Other groups that might benefit from them include Java language developers (mainly Java JE6, Java ME, and Java EE), software development managers, analyzer tool developers, and educators.
The book consists of an introduction and 17 chapters, each of which covers an issue in Java coding that’s covered independently, making the book useful as a reference for a large set of Java programming issues. The issues range from basic features like Expressions (Chapter 4) and Numeric types (Chapter 5), to advanced features such as Thread APIs (Chapter 11) and platform security (Chapter 16).
Each chapter is illustrated by a set of rules. Each rule is accompanied by examples showing noncompliance/compliance of the code, exceptions that might be thrown if the rule is violated, a risk assessment, and some bibliographic references for readers who want to go further in the application of these rules. In the rule descriptions, the authors rely on definitions from Java API. The descriptions are clear and presented simply so that any Java programmer could understand them. The authors also include tips and hints to help programmers avoid any error or bug that a malicious user might exploit. These hints vary from beginner to professional levels.
There are a few points I would like to see taken into account in future editions. For example, some rule violations don’t generate any exception, while other rules generate one or more than. It’s not clear how the number of generated exceptions is defined.
It’s also not clear whether future work will consider other Java libraries and packages not covered in this book. In other words, because the book represents version 1.0 of the standard, it’s not clear whether a future version of the standard will cover other Java programming issues.
Nevertheless, The Cert Oracle Secure Coding Standard for Java presents a valuable handout for Java programmers aiming at higher-quality applications that account for current security challenges with an optimal use of resources. Adhering to the rules it presents will reduce vulnerabilities and ensure applications that conform to security requirements. Moreover, the standard generates specific exceptions when a security rule is violated, which could be regarded as a check on accuracy. Finally, and as the authors note in their preface, programmers can use analyzer tools to check for rule violations.
Dalila Mekhaldi is a software engineer. Contact her at firstname.lastname@example.org.