Skip to main content
assistive.skiplink.to.breadcrumbs
assistive.skiplink.to.header.menu
assistive.skiplink.to.action.menu
assistive.skiplink.to.quick.search

07. Input Output (FIO)

Created by Fred Long, last modified by Justin Pincar on Nov 19, 2008

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Recommendations

FIO00-J. Validate deserialized objects

FIO01-J. Canonicalize path names originating from untrusted sources

FIO02-J. Use Runtime.exec() correctly

FIO04-J. Understand the limitations of the logging framework

FIO05-J. Document character encoding while performing file IO

FIO06-J. Validate user input

FIO07-J. Do not assume infinite heap space when reading in data

Rules

FIO31-J. Create a copy of mutable inputs

FIO32-J. Do not serialize sensitive data

FIO33-J. Do not allow serialization and deserialization to bypass the Security Manager

FIO34-J. Ensure all resources are properly closed when they are no longer needed

FIO35-J. Exclude user input from format strings

FIO36-J. Never hardcode sensitive information

Risk Assessment Summary

Recommendations

Recommendation	Severity	Likelihood	Remediation Cost	Priority	Level
FIO00-J	medium	probable	high	P4	L3
FIO01-J	high	probable	high	P6	L2
FIO02-J	high	probable	high	P6	L2
FIO06-J	medium	probable	high	P4	L3

Rules

Rules	Severity	Likelihood	Remediation Cost	Priority	Level
FIO31-J	medium	probable	high	P4	L3
FIO32-J	medium	likely	high	P6	L2
FIO33-J	high	probable	high	P6	L2
FIO35-J	medium	probable	high	P4	L3

OBJ35-J. Use checked collections against external code The CERT Sun Microsystems Secure Coding Standard for Java FIO00-J. Validate deserialized objects

No labels