Recommendations
SEC00-A. Do not allow exceptions to transmit sensitive information
SEC01-A. Be careful using doPrivileged
SEC02-A. Beware of standard APIs that may bypass Security Manager checks
SEC03-A. Beware of standard APIs that may use the immediate caller's class loader instance
SEC04-A. Beware of standard APIs that perform access checks against the immediate caller
Rules
SEC30-C. Always use a Security Manager
...
SEC32-C. Do not grant ReflectPermission with action suppressAccessChecks
SEC33-C. Define wrappers around native methods
SEC34-C. Do not allow the unauthorized construction of sensitive classes
SEC35-C. Provide mutable classes with a clone method
SEC36-C. Ensure that the bytecode verifier is applied to modified code
Risk Assessment Summary
Rules
...