The CERT Oracle Secure Coding Standard for Java provides rules designed to eliminate insecure coding practices that can lead to exploitable vulnerabilities. Application of the standards guidelines will lead to higher-quality systemsrobust systems that are more resistant to attack. Such guidelines are required for the wide range of products coded in Javafor devices such as PCs, game players, mobile phones, home appliances and automotive electronics.
After a high-level introduction to Java application security, seventeen consistently organized chapters detail specific rules for key areas of Java development. For each area, the authors present non-compliant examples and corresponding compliant solutions, show how to assess risk and offer references for further information. Each rule is prioritized based on the severity of consequences, likelihood of introducing exploitable vulnerabilities and cost of remediation.
About the Author
Fred Long is a senior lecturer and director of learning and teaching in the Department of Computer Science, Aberystwyth University in the United Kingdom. He lectures on formal methods Java, C++ and C programming paradigms and programming-related security issues. He is chairman of the British Computer Societys Mid-Wales Sub-Branch. Fred has been a Visiting Scientist at the Software Engineering Institute since 1992. Recently, his research has involved the investigation of vulnerabilities in Java.
Dhruv Mohindra is a senior software engineer at Persistent Systems Limited, India, where he develops monitoring software for widely used enterprise servers. He has worked for CERT at the Software Engineering Institute and continues to collaborate to improve the state of security awareness in the programming community.
Robert C. Seacord is a computer security specialist and writer. He is the author of books on computer security, legacy system modernization and component-based software engineering. Robert manages the Secure Coding Initiative at CERT, located in Carnegie Mellons Software Engineering Institute in Pittsburgh, Pennsylvania. .
Dean F. Sutherland is a senior software security engineer at CERT. Dean received his Ph.D. in software engineering from Carnegie Mellon in 2008. Before his return to academia, he spent 14 years working as a professional software engineer at Tartan, Inc. He spent the last six of those years as a senior member of the technical staff and a technical lead for compiler back-end technology.
David Svoboda is a software security engineer at CERT. David has been the primary developer on a diverse set of software development projects at Carnegie Mellon since 1991, ranging from hierarchical chip modeling and social organization simulation to automated machine translation (AMT). His KANTOO AMT software, developed in 1996, is still in production use at Caterpillar. He has over 13 years of Java development experience, starting with Java 2 and his Java projects include Tomcat servlets and Eclipse plug-ins.