The Java rules and recommendations in this wiki are a work in progress and reflect the current thinking of the secure coding community. Because this is a development website, many pages are incomplete or contain errors. As rules and recommendations mature, they are published in report or book form as official releases. These releases are issued as dictated by the needs and interests of the secure software development community.

Create a sign-in account if you want to comment on existing content. If you wish to be more involved and directly edit content on the site, you still need an account, but you'll also need to request edit privileges.   


Secure Java Coding Books

There are two books available that cover Java: one for rules and the other for guidelines.

The CERT Oracle Secure Coding Standard for Java provides rules for Java Platform Standard Edition 6 and Java SE 7.

 


Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs provides guidelines, recommendations, and examples to enable the creation of reliable, robust, fast, maintainable, and secure code.
Source Code Analysis Laboratory (SCALe)

SCALe offers conformance testing of Java language software systems against the CERT Oracle Secure Coding Standard for Java.

Contact Us

Contact us if you

  • have questions about the Secure Coding wiki
  • have recommendations for standards in development
  • want to request privileges to participate in standards development
Thank You!

We acknowledge the contributions of the following folks , and we look forward to seeing your name here as well.

Rules vs. Recomendations

This coding standard consists of rules and recommendations, collectively referred to as guidelines. Rules are meant to provide normative requirements for code, whereas recommendations are meant to provide guidance that, when followed, should improve the safety, reliability, and security of software systems. Learn more about the differences.

Linking to Our Pages

Link to guidelines using the Tiny Link under Tools→Link to this Page... (This URL will not change if the name of the guideline changes.)   

Information for Editors

  • To eliminate a section from the lists above, label it section and void.
  • To have a section listed as a recommendation, label it section and recommendation.
  • To have a section listed as a rule, label it section and rule.


14 Comments

  1. I would like to see a downloadable version of the Java Secure Coding Standard. Maybe a zip with HTML files or a all-in-one HTML file could be provided. PDF would also be nice. I am sure I am not the only one who is interested in this.

    1. PDF versions of The CERT Oracle Secure Coding Standard for Java are available from InformIT at http://www.informit.com/store/cert-oracle-secure-coding-standard-for-java-9780321803955

    2. Seconded. Confluence provides export facilities "out-of-the-box" (Space Tools > Content Tools > Export tab), but the export option has been disabled explicitly here. Kind request to the administrators: can you enable this option?

      1. We appreciate your feedback.  As you imply, we have chosen to explicitly not enable that option at this time, and we currently have no plans to enable the option.

  2. Hi,

    We have tried to setup PMD rules to automatically detect non-conformities to these rules. Do you have a list of rules that can be 100 percent detected automatically? For us, there are many rules which create false positives. Also, do you have any particular advice on implementing automated detection?

    Thanks

    Paul

    1. Paul,

      We've implemented a few automated checkers for CERT rules. See http://keshmesh.cs.illinois.edu/. I'd be happy to learn more about your project? Which rules does your tool support? Are your checkers open source?

    2. Hi Paul,

      No, we do not have any such list. One of the problems is, as you point out, that "detected automatically" is really a relative term, based on tolerance for false positives. However, we are actively investigating this question by attempting to develop (heuristic) checkers for as many rules as possible.

      Regarding particular advice -- some rules have specific textual comments regarding the possibilities for automatic detection which might be useful. If you have questions regarding particular rules, please let us know which ones, and we'd be happy to give you what advice we can regarding automatic detection.

      I should be upfront with one disclaimer: while all rules are rated with remediation levels, and the definition of the remediation levels involves the potential for automatic checking for rule conformance, you should take those interpretations with a grain of salt. That is, while we stand by the remediation difficulty ratings in the abstract, the specific interpretations (in the introduction) in terms of automatic/manual detection/correction are not always applicable.  Rather, it is best to go by what, if anything, about automatic detection is mentioned in the textual discussion of the rule.

      Cheers

  3. Es un excelente libro The.CERT.Oracle.Secure.Coding.Standard.for.Java los felicto , muchas gracias desde Piura-Perú.

  4. How to validate your rules for our java files? Is there any tool like findbugs / PMD?  Is there any wiki to check those things?

    1. Each rule has an "Automated Detection" section. This section lists tools (including PMD and FindBugs!) that can detect violations of the rule.

      1. But, few rules are not yet to implemented in the above mentioned tools ( PMD & FindBugs! ). How to validate whether our source code affects the above listed rules(violations).? Do you have any reference to implement it through commandLine?

        1. The Automated Detection section represents our public knowledge. If a rule has an empty AD section, then we do not have references for checking that rule. They may exist but be new, or not public.

  5. Introduction

    Climate change, a global concern that transcends borders, has profound effects on various regions worldwide. Southern Europe and the popular tourist destinations along Spain's Costa del Sol, including Marbella and Malaga, are experiencing significant changes, including increased heatwaves. This article delves into the effects of climate change in these areas and discusses potential strategies for mitigation and adaptation.

    Climate Change: The Broad Picture

    Climate change refers to long-term shifts in temperatures and weather patterns. Primarily caused by human activities, notably burning fossil fuels and deforestation, climate change has resulted in global warming, melting ice caps, rising sea levels, and changes in weather patterns.

    Climate Change in Southern Europe

    Southern Europe, characterized by its Mediterranean climate, is witnessing a distinct shift in its climatic patterns due to global warming.

    Rising Temperatures and Heatwaves

    One of the most pronounced effects of climate change in Southern Europe is the rise in temperature. The region is experiencing increasingly frequent and intense heatwaves. Cities like Marbella and Malaga on the Costa del Sol are particularly affected, with several heatwaves occurring each year.

    Heatwaves pose numerous risks, from heatstroke and other health problems to increased energy demand for cooling. Moreover, they exacerbate drought conditions, leading to water shortages and negatively affecting agriculture.

    Other Climatic Changes

    Besides heatwaves, Southern Europe is experiencing other climatic changes. Winters are becoming milder, and rainfall patterns are changing, leading to prolonged dry spells interspersed with heavy rainfall events. These changes can result in devastating wildfires, landslides, and flash floods.

    Impact on Tourism

    Climate change poses significant challenges for tourism, a major economic driver in areas like the Costa del Sol. Increased temperatures and heatwaves may deter tourists, especially during the peak summer season. Conversely, milder winters could potentially extend the tourist season.

    Changes in rainfall patterns and increased risk of wildfires may also impact the natural beauty of these areas, further affecting tourism. Moreover, rising sea levels pose a long-term threat to coastal destinations.

    Mitigation and Adaptation Strategies

    Addressing climate change requires both mitigation, reducing the causes of climate change, and adaptation, making adjustments to reduce the negative effects.

    Mitigation

    Mitigation efforts in Southern Europe and the Costa del Sol involve transitioning to renewable energy sources, improving energy efficiency, and promoting sustainable practices in industries such as tourism and agriculture.

    Adaptation

    Adaptation strategies include developing heat action plans, improving water management to cope with changing rainfall patterns, and implementing measures to protect against wildfires and flooding.

    Building climate-resilient infrastructure can help protect coastal tourist destinations from rising sea levels. Additionally, diversifying the tourism sector can help make it more resilient to climatic changes.