SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 168

changes.mady.by.user vishal patel

Saved on

compared with

New Version 169

changes.mady.by.user vishal patel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: changing the section list to content by label macro

Guidelines

SEC00-J. Avoid granting excess privileges

SEC01-J. Minimize the accessibility of classes and their members

SEC02-J. Guard doPrivileged blocks against untrusted invocation and leakage of sensitive data

SEC03-J. Do not allow tainted variables in doPrivileged blocks

SEC04-J. Do not expose standard APIs that may bypass Security Manager checks to untrusted code

SEC05-J. Do not expose standard APIs that use the immediate caller's class loader instance to untrusted code

SEC06-J. Do not use APIs that perform access checks against the immediate caller

SEC07-J. Classes that derive from a sensitive class or implement a sensitive interface must be declared final

SEC08-J. Protect sensitive operations with security manager checks

SEC09-J. Do not base security checks on untrusted sources

SEC10-J. Define custom security permissions for fine grained security

SEC11-J. Call the superclass's getPermissions method when writing a custom class loader

SEC12-J. Do not grant untrusted code access to classes in inaccessible packages

SEC13-J. Do not allow unauthorized construction of classes in inaccessible packages

SEC14-J. Provide sensitive mutable classes with unmodifiable wrappers

SEC15-J. Prefer using SSLSockets over Sockets for secure data exchange

SEC16-J. Sign and seal sensitive objects before transit

SEC17-J. Create and sign a SignedObject before creating a SealedObject

SEC18-J. Define wrappers around native methods

SEC19-J. Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar

Content by Label
showLabelsfalse
maxResults99
label+sec,-void
showSpacefalse
sorttitle
space@self
cqllabel = "sec" and label != "void" and space = currentSpace()

SEC20-J. Do not expect java.lang.reflect.method.invoke() to behave as the immediate callerSEC21-J. Remove superfluous code from privileged blocks

Introduction

Wiki Markup
According to the principle of least privilege, every program and every user of the system should operate using the least set of privileges necessary to complete the particular task \[[Saltzer 1974|AA. Bibliography#Saltzer 74], [Saltzer 1975|AA. Bibliography#Saltzer 75]\]. The Build Security In website \[[DHS 2006|AA. Bibliography#DHS 06]\] provides additional definitions of this principle. Executing with minimal privileges mitigates against exploitation in case a vulnerability is discovered in the code.  These principles can be applied in various ways to Java language programming.

...