Title: Rec. AA. References  
Author: Fred Long Sep 14, 2007
Last Changed by: David Svoboda Oct 18, 2016
Tiny Link: (useful for email) https://wiki.sei.cmu.edu/confluence/x/ijZGBQ
Export As: Word · PDF  
Incoming Links
SEI CERT Oracle Coding Standard for Java (81)
    Page: Rec. Preface
    Page: MET51-J. Do not use overloaded methods to differentiate between runtime types
    Page: MSC61-J. Do not use insecure or weak cryptographic algorithms
    Page: MSC63-J. Ensure that SecureRandom is properly seeded
    Page: MSC60-J. Do not use assertions to verify the absence of runtime errors
    Page: OBJ50-J. Never confuse the immutability of a reference with that of the referenced object
    Page: DCL57-J. Avoid ambiguous overloading of variable arity methods
    Page: MSC52-J. Finish every set of statements associated with a case label with a break statement
    Page: Rec.: All Guidelines with Classification
    Page: OBJ51-J. Minimize the accessibility of classes and their members
    Page: SEC53-J. Define custom security permissions for fine-grained security
    Page: SEC54-J. Create a secure sandbox using a security manager
    Page: Rec.: Priority and Levels
    Page: OBJ55-J. Remove short-lived objects from long-lived container objects
    Page: MSC55-J. Use comments consistently and in a readable fashion
    Page: FIO53-J. Use the serialization methods writeUnshared() and readUnshared() with care
    Page: MET52-J. Do not use the clone() method to copy untrusted method parameters
    Page: OBJ54-J. Do not attempt to help the garbage collector by setting local reference variables to null
    Page: ERR50-J. Use exceptions only for exceptional conditions
    Page: ERR52-J. Avoid in-band error indicators
    Page: EXP52-J. Use braces for the body of an if, for, or while statement
    Page: SEC57-J. Do not let untrusted code misuse privileges of callback methods
    Page: MSC58-J. Prefer using iterators over enumerations
    Page: MSC62-J. Store passwords using a hash function
    Page: OBJ53-J. Do not use direct buffers for short-lived, infrequently used objects
    Page: EXP50-J. Do not confuse abstract object equality with reference equality
    Page: SEC56-J. Do not serialize direct handles to system resources
    Page: MSC54-J. Avoid inadvertent wrapping of loop counters
    Page: SEC52-J. Do not expose methods that use reduced-security checks to untrusted code
    Page: EXP55-J. Use the same type for the second and third operands in conditional expressions
    Page: MET54-J. Always provide feedback about the resulting value of a method
    Page: CON51-J. Do not assume that the sleep(), yield(), or getState() methods provide synchronization semantics
    Page: Rec.: Scope
    Page: EXP53-J. Use parentheses for precedence of operation
    Page: MSC57-J. Strive for logical completeness
    Page: DCL56-J. Do not attach significance to the ordinal associated with an enum
    Page: IDS53-J. Prevent XPath Injection
    Page: DCL52-J. Do not declare more than one variable per declaration
    Page: FIO52-J. Do not store unencrypted sensitive information on the client side
    Page: OBJ56-J. Provide sensitive mutable classes with unmodifiable wrappers
    Page: Rec.: Tool Selection and Validation
    Page: ERR51-J. Prefer user-defined exceptions over more general exception types
    Page: EXP51-J. Do not perform assignments in conditional expressions
    Page: CON50-J. Do not assume that declaring a reference volatile guarantees safe publication of the members of the referenced object
    Page: DCL55-J. Properly encode relationships in constant definitions
    Page: DCL51-J. Do not shadow or obscure identifiers in subscopes
    Page: OBJ13-J. Ensure that references to mutable objects are not exposed
    Page: IDS52-J. Prevent code injection
    Page: ERR54-J. Use a try-with-resources statement to safely handle closeable resources
    Page: OBJ01-J. Limit accessibility of fields
    Page: IDS51-J. Properly encode or escape output
    Page: OBJ52-J. Write garbage-collection-friendly code
    Page: DCL60-J. Avoid cyclic dependencies between packages
    Page: MSC56-J. Detect and remove superfluous code and values
    Page: FIO51-J. Identify files using multiple file attributes
    Page: NUM51-J. Do not assume that the remainder operator always returns a nonnegative result for integral operands
    Page: DCL54-J. Use meaningful symbolic constants to represent literal values in program logic
    Page: DCL58-J. Enable compile-time type checking of variable arity parameter types
    Page: SEC51-J. Minimize privileged code
    Page: MET53-J. Ensure that the clone() method calls super.clone()
    Page: Rec. BB. Definitions
    Page: NUM52-J. Be aware of numeric promotion behavior
    Page: IDS56-J. Prevent arbitrary file upload
    Page: DCL50-J. Use visually distinct identifiers
    Page: EXP54-J. Understand the differences between bitwise and logical operators
    Page: MET50-J. Avoid ambiguous or confusing uses of overloading
    Page: NUM50-J. Convert integers to floating point for floating-point operations
    Page: ERR53-J. Try to gracefully recover from system errors
    Page: OBJ57-J. Do not rely on methods that can be overridden by untrusted code
    Page: IDS55-J. Understand how escape characters are interpreted when strings are loaded
    Page: MET55-J. Return an empty array or collection instead of a null value for methods that return an array or collection
    Page: IDS54-J. Prevent LDAP injection
    Page: CON52-J. Document thread-safety and use annotations where applicable
    Page: DCL53-J. Minimize the scope of variables
    Page: MSC59-J. Limit the lifetime of sensitive data
    Page: MET56-J. Do not use Object.equals() to compare cryptographic keys
    Page: MSC53-J. Carefully design interfaces before releasing them
    Page: DCL59-J. Do not apply public final to constants whose value might change in later releases
    Page: SEC50-J. Avoid granting excess privileges
    Page: MSC50-J. Minimize the scope of the @SuppressWarnings annotation
    Page: FIO50-J. Do not make assumptions about file creation
Hierarchy
Parent Page
    Page: 4 Back Matter
Labels
Global Labels (1)
Outgoing Links
External Links (70)
    dx.doi.org/10.1109/C-M.1981.220208
    download.oracle.com/javase/7/docs/technotes/tools/index.htm…
    www.sei.cmu.edu/library/abstracts/reports/09tr010.cfm
    docs.oracle.com/javase/specs/jvms/se7/html/index.html
    www.owasp.org/index.php/Main_Page
    developers.sun.com/learning/javaoneonline/sessions/2009/pdf…
    www.javapractices.com/topic/TopicAction.do?Id=216
    www.eng.auburn.edu/users/hamilton/security/papers/STSC%20Cr…
    www.gnu.org/prep/standards/
    download.oracle.com/javase/7/docs/api/index.html
    www.oracle.com/technetwork/topics/security/alert-cve-2013-0…
    dow.ngra.de/2009/02/16/the-ultimate-java-puzzler/
    docs.oracle.com/javase/tutorial/index.html
    www.oracle.com/technetwork/java/index-135089.html
    https://www.owasp.org/index.php/Session_Fixation_in_Java
    portal.acm.org/citation.cfm?doid=1693453.1693485
    owasp.org/index.php/OWASP_Guide_Project
    www.oracle.com/technetwork/java/seccodeguide-139067.html
    unicode.org/reports/tr15/
    docs.oracle.com/javase/specs/
    www.sei.cmu.edu/library/abstracts/reports/12tn013.cfm
    docs.oracle.com/javase/6/docs/index.html
    tika.apache.org/index.html
    portal.acm.org/citation.cfm?id=130616.130623
    developers.sun.com/sunstudio/products/archive/whitepapers/j…
    www.securesoftware.com/process/
    www.unicode.org/versions/Unicode6.2.0/
    download.java.net/jdk8/docs/technotes/guides/security/dopri…
    docs.oracle.com/javase/1.5.0/docs/guide/nio/
    docs.huihoo.com/javaone/2007/java-se/TS-2906.pdf
    java.sun.com/javase/6/docs/api/
    https://www.cert.org/blogs/certcc/2013/01/anatomy_of_java_e…
    www.w3.org/Security/Faq/wwwsf2.html
    docs.oracle.com/javase/7/docs/technotes/guides/security/cry…
    dx.doi.org/10.1109/SP.2006.29
    https://confluence.ucdavis.edu/confluence/download/attachme…
    www.objectmentor.com/resources/articles/granularity.pdf
    software.ucv.ro/%7Eeganea/SoftE/JavaCodingStandards.pdf
    onjava.com/pub/a/onjava/2003/08/20/memoization.html
    immunityproducts.blogspot.com.ar/2012/08/java-0day-analysis…
    www.unicode.org/versions/Unicode5.2.0/
    docs.oracle.com/javase/1.5.0/docs/guide/security/spec/secur…
    lars-lab.jpl.nasa.gov/JPL_Coding_Standard_Java.pdf
    www.gnu.org/prep/standards/standards.html#Syntactic-Convent…
    https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS…
    winjade.net/2009/01/lesson-on-infinite-loops/
    https://www.owasp.org/index.php/OWASP_Guide_Project
    docs.oracle.com/javaee/6/api/javax/servlet/http/package-sum…
    www.ibm.com/developerworks/java/library/j-jtp06197.html
    markmail.org/message/4scermxmn5oqhyii
    https://www.cigital.com/
    findbugs.sourceforge.net/bugDescriptions.html
    www.oracle.com/technetwork/java/javase/gc-tuning-6-140523.h…
    https://www.owasp.org/index.php/Hashing_Java
    mikeware.us/thesis/
    https://www.cigital.com/justice-league-blog/2009/08/14/prop…
    dl.acm.org/citation.cfm?doid=1814217.1814224
    docs.oracle.com/javase/6/docs/technotes/guides/security/per…
    docs.oracle.com/javase/specs/jls/se7/html/index.html
    docs.oracle.com/javase/8/docs/api/
    www.ibm.com/developerworks/xml/library/x-xpathinjection.htm…
    docs.oracle.com/javase/7/docs/
    www.cert.org/books/secure-coding
    www.hpenterprisesecurity.com/vulncat/en/vulncat/index.html
    docs.oracle.com/javase/7/docs/technotes/guides/security/Pol…
    https://www.owasp.org/index.php/Hashing_Java#Why_add_salt_.…
    docs.oracle.com/javase/6/docs/technotes/guides/security/cer…
    xlinux.nist.gov/dads/HTML/partialorder.html
    www.ibm.com/developerworks/java/library/j-jtp01274.html
    www.coverity.com/