Rules
Content by Label | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Risk Assessment Summary
Rule |
---|
Recommendations
SEC01-J. Provide sensitive mutable classes with unmodifiable wrappers
SEC02-J. Do not expose standard APIs that may bypass Security Manager checks to untrusted code
SEC04-J. Beware of standard APIs that perform access checks against the immediate caller
SEC05-J. Verify and authenticate signed artifacts programmatically (deprecated, incomplete)
SEC06-J. Assume that all Java clients can be reverse engineered, monitored, and modified
SEC07-J. Minimize accessibility
SEC08-J. Sign and seal sensitive objects before transit
SEC09-J. Create and sign a SignedObject before creating a SealedObject
SEC10-J. Do not allow the unauthorized construction of sensitive classes
SEC11-J. Define custom security permissions for fine grained security
SEC12-J. Prefer using SSLSockets over Sockets
SEC13-J. Do not sign code that performs unprivileged operations
Rules
SEC30-J. Always use a Security Manager
SEC31-J. Never grant AllPermission to untrusted code
SEC32-J. Do not grant ReflectPermission with action suppressAccessChecks
SEC33-J. Define wrappers around native methods
SEC35-J. Do not disable bytecode verification
SEC36-J. Guard doPrivileged blocks against untrusted invocations
Risk Assessment Summary
Recommendations
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
SEC01SEC00-J | medium Medium | probable Likely | high High | P4 | L3 | SEC02-J | medium | probable | medium | P8 | P6 | L2 SEC03 | |
SEC01-J | medium High | probable Likely | medium Low | P8 P27 | L2 L1 SEC04 | ||||||||
SEC02-J | medium High | probable Probable | medium Medium | P8 P12 | L2 L1 SEC05 | ||||||||
SEC03-J | TODO High | TODO | TODO | TODO | TODO | Probable | Medium | SEC06-J | medium | likely | medium | P12 | L1 SEC07 |
SEC04-J | medium High | likely Probable | medium Medium | P12 | L1 SEC08 | ||||||||
SEC05-J | TODO High TODO | Probable | TODO | TODO | TODO | ||||||||
SEC09-J | medium | unlikely | low | P6 | L2 | ||||||||
SEC10-J | high | probable | high | P6 | L2 |
Rules
Medium | P12 | L1 | |||
SEC06-J | High | Probable | Medium | P12 | L1 |
SEC07-J | High | Probable | Low | ||
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
SEC30-J | high | probable | low | P18 | L1 |
SEC31-J | high | probable | low | P18 | L1 |
SEC32-J | high | probable | low | P18 | L1 |
SEC33-J | medium | probable | high | P4 | L3 |
SEC35-J | medium | probable | low | P12 | L1 |
...
The CERT Sun Microsystems Secure Coding Standard for Java The CERT Sun Microsystems Secure Coding Standard for Java SEC36-J. Guard doPrivileged blocks against untrusted invocations