The Java rules and recommendations in this wiki are a work in progress and reflect the current thinking of the secure coding community. Because this is a development website, many pages are incomplete or contain errors. As rules and recommendations mature, they are published in report or book form as official releases. These releases are issued as dictated by the needs and interests of the secure software development community.
Create a sign-in account if you want to comment on existing content. If you wish to be more involved and directly edit content on the site, you still need an account, but you'll also need to request edit privileges.
There is no content with the specified labels
There is no content with the specified labels
There are two books available that cover Java: one for rules and the other for guidelines.
provides rules for Java Platform Standard Edition 6 and Java SE 7. The CERT Oracle Secure Coding Standard for Java
provides guidelines, recommendations, and examples to enable the creation of reliable, robust, fast, maintainable, and secure code. Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs
SCALe offers conformance testing of Java language software systems against the CERT Oracle Secure Coding Standard for Java.
Contact us if you
- have questions about the Secure Coding wiki
- have recommendations for standards in development
- want to request privileges to participate in standards development
We acknowledge the contributions of the following folks , and we look forward to seeing your name here as well.
I would like to see a downloadable version of the Java Secure Coding Standard. Maybe a zip with HTML files or a all-in-one HTML file could be provided. PDF would also be nice. I am sure I am not the only one who is interested in this.
Robert Seacord (Manager)
PDF versions of The CERT Oracle Secure Coding Standard for Java are available from InformIT at http://www.informit.com/store/cert-oracle-secure-coding-standard-for-java-9780321803955
Stijn de Gouw
Seconded. Confluence provides export facilities "out-of-the-box" (Space Tools > Content Tools > Export tab), but the export option has been disabled explicitly here. Kind request to the administrators: can you enable this option?
We appreciate your feedback. As you imply, we have chosen to explicitly not enable that option at this time, and we currently have no plans to enable the option.
We have tried to setup PMD rules to automatically detect non-conformities to these rules. Do you have a list of rules that can be 100 percent detected automatically? For us, there are many rules which create false positives. Also, do you have any particular advice on implementing automated detection?
We've implemented a few automated checkers for CERT rules. See http://keshmesh.cs.illinois.edu/. I'd be happy to learn more about your project? Which rules does your tool support? Are your checkers open source?
No, we do not have any such list. One of the problems is, as you point out, that "detected automatically" is really a relative term, based on tolerance for false positives. However, we are actively investigating this question by attempting to develop (heuristic) checkers for as many rules as possible.
Regarding particular advice -- some rules have specific textual comments regarding the possibilities for automatic detection which might be useful. If you have questions regarding particular rules, please let us know which ones, and we'd be happy to give you what advice we can regarding automatic detection.
I should be upfront with one disclaimer: while all rules are rated with remediation levels, and the definition of the remediation levels involves the potential for automatic checking for rule conformance, you should take those interpretations with a grain of salt. That is, while we stand by the remediation difficulty ratings in the abstract, the specific interpretations (in the introduction) in terms of automatic/manual detection/correction are not always applicable. Rather, it is best to go by what, if anything, about automatic detection is mentioned in the textual discussion of the rule.
Nelson Abel Barranzuela Iman
Es un excelente libro The.CERT.Oracle.Secure.Coding.Standard.for.Java los felicto , muchas gracias desde Piura-Perú.
How to validate your rules for our java files? Is there any tool like findbugs / PMD? Is there any wiki to check those things?
Each rule has an "Automated Detection" section. This section lists tools (including PMD and FindBugs!) that can detect violations of the rule.
But, few rules are not yet to implemented in the above mentioned tools ( PMD & FindBugs! ). How to validate whether our source code affects the above listed rules(violations).? Do you have any reference to implement it through commandLine?
The Automated Detection section represents our public knowledge. If a rule has an empty AD section, then we do not have references for checking that rule. They may exist but be new, or not public.