Recommendations
SEC00-J. Follow the principles of least privilege
SEC01-J. Provide sensitive mutable classes with unmodifiable wrappers
SEC02-J. Do not expose standard APIs that may bypass Security Manager checks to untrusted code
SEC06-J. Assume that all Java clients can be reverse engineered, monitored, and modified
SEC07-J. Minimize accessibility of classes and their members
SEC08-J. Sign and seal sensitive objects before transit
SEC09-J. Create and sign a SignedObject before creating a SealedObject
SEC10-J. Do not allow the unauthorized construction of sensitive classes
SEC11-J. Define custom security permissions for fine grained security
SEC12-J. Prefer using SSLSockets over Sockets for secure data exchange
ENV00-J. Do not sign code that performs only unprivileged operations
Rules
ENV30-J. Always use a Security Manager
ENV31-J. Never grant AllPermission to untrusted code
ENV32-J. Do not grant ReflectPermission with target suppressAccessChecks
SEC33-J. Define wrappers around native methods
SEC35-J. Do not disable bytecode verification
SEC36-J. Guard doPrivileged blocks against untrusted invocations
Risk Assessment Summary
Recommendations
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
SEC01-J |
medium |
probable |
high |
P4 |
L3 |
SEC02-J |
medium |
probable |
medium |
P8 |
L2 |
SEC03-J |
medium |
probable |
medium |
P8 |
L2 |
SEC04-J |
medium |
probable |
medium |
P8 |
L2 |
SEC05-J |
TODO |
TODO |
TODO |
TODO |
TODO |
SEC06-J |
medium |
likely |
medium |
P12 |
L1 |
SEC07-J |
medium |
likely |
medium |
P12 |
L1 |
SEC08-J |
TODO |
TODO |
TODO |
TODO |
TODO |
SEC09-J |
medium |
unlikely |
low |
P6 |
L2 |
SEC10-J |
high |
probable |
high |
P6 |
L2 |
Rules
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
SEC30-J |
high |
probable |
low |
P18 |
L1 |
SEC31-J |
high |
probable |
low |
P18 |
L1 |
SEC32-J |
high |
probable |
low |
P18 |
L1 |
SEC33-J |
medium |
probable |
high |
P4 |
L3 |
SEC35-J |
medium |
probable |
low |
P12 |
L1 |
The CERT Sun Microsystems Secure Coding Standard for Java The CERT Sun Microsystems Secure Coding Standard for Java SEC36-J. Guard doPrivileged blocks against untrusted invocations