Skip to main content
assistive.skiplink.to.breadcrumbs
assistive.skiplink.to.header.menu
assistive.skiplink.to.action.menu
assistive.skiplink.to.quick.search

Page History

Versions Compared

Key

This line was added.
This line was removed.
Formatting was changed.

Rules

Content by Label

showLabels	false
max	99
spaces	com.atlassian.confluence.content.render.xhtml.model.resource.identifiers.SpaceResourceIdentifier@3bbaf8c
sort	title
showSpace	false
labels	+sec, +rule, -void
cql	label = "sec" and label = "rule" and label != "void" and space = currentSpace()

Risk Assessment Summary

Rule

Recommendations

SEC00-J. Follow the principles of least privilege

SEC01-J. Provide sensitive mutable classes with unmodifiable wrappers

SEC02-J. Do not expose standard APIs that may bypass Security Manager checks to untrusted code

SEC03-J. Do not expose standard APIs that use the immediate caller's class loader instance to untrusted code

SEC04-J. Do not allow tainted parameters while using APIs that perform access checks against the immediate caller

SEC05-J. Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar

SEC06-J. Assume that all Java clients can be reverse engineered, monitored, and modified

SEC07-J. Minimize accessibility of classes and their members

SEC08-J. Sign and seal sensitive objects before transit

SEC09-J. Create and sign a SignedObject before creating a SealedObject

SEC10-J. Do not allow the unauthorized construction of sensitive classes

SEC11-J. Define custom security permissions for fine grained security

SEC12-J. Prefer using SSLSockets over Sockets for secure data exchange

ENV00-J. Do not sign code that performs only unprivileged operations

Rules

SEC30-J. Always use a Security Manager

SEC31-J. Never grant AllPermission to untrusted code

SEC32-J. Do not grant ReflectPermission with target suppressAccessChecks

SEC33-J. Define wrappers around native methods

SEC34-J. Reserved

SEC35-J. Do not disable bytecode verification

SEC36-J. Guard doPrivileged blocks against untrusted invocations

Risk Assessment Summary

Recommendations

Recommendation	Severity	Likelihood	Remediation Cost	Priority	Level
SEC01SEC00-J	medium Medium	probable Likely	high	P4	L3
SEC02-J	medium	probable	medium	P8	L2
High	P6	L2
SEC01 SEC03-J	medium High	probable Likely	medium Low	P8 P27	L2 L1 SEC04
SEC02-J	medium High	probable Probable	medium Medium	P8 P12	L2 L1 SEC05
SEC03-J	TODO High	TODO	TODO	TODO	TODO	Probable	Medium	SEC06-J	medium	likely	medium	P12	L1 SEC07
SEC04-J	medium High	likely Probable	medium Medium	P12	L1 SEC08
SEC05-J	TODO High TODO	Probable	TODO	TODO	TODO
SEC09-J	medium	unlikely	low	P6	L2
SEC10-J	high	probable	high	P6	L2

Rules

Rule	Severity	Likelihood	Remediation Cost	Priority	Level
Medium	P12	L1
SEC06-J	High	Probable	Medium	P12	L1
SEC07-J	High	Probable	Low
SEC30-J	high	probable	low	P18	L1
SEC31-J	high	probable	low	P18	L1
SEC32-J	high	probable	low	P18	L1
SEC33-J	medium	probable	high	P4	L3
SEC35-J	medium	probable	low	P12	L1

...

Image Added Image Added Image Added The CERT Sun Microsystems Secure Coding Standard for Java The CERT Sun Microsystems Secure Coding Standard for Java SEC36-J. Guard doPrivileged blocks against untrusted invocations