Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 149 Next »

Guidelines

SEC00-J. Follow the principle of least privilege

SEC01-J. Minimize the accessibility of classes and their members

SEC02-J. Guard doPrivileged blocks against untrusted invocations

SEC03-J. Do not allow tainted variables in doPrivileged blocks

SEC04-J. Do not expose standard APIs that may bypass Security Manager checks to untrusted code

SEC05-J. Do not expose standard APIs that use the immediate caller's class loader instance to untrusted code

SEC06-J. Do not use APIs that perform access checks against the immediate caller

SEC07-J. Declare classes that derive from a sensitive class or implement a sensitive interface final

SEC08-J. Enforce security checks in code that performs sensitive operations

SEC09-J. Do not base security checks on untrusted sources

SEC10-J. Define custom security permissions for fine grained security

SEC11-J. Call the superclass's getPermissions method when writing a custom class loader

SEC12-J. Do not grant untrusted code access to classes existing in forbidden packages

SEC13-J. Do not allow unauthorized construction of classes in forbidden packages

SEC14-J. Provide sensitive mutable classes with unmodifiable wrappers

SEC15-J. Prefer using SSLSockets over Sockets for secure data exchange

SEC16-J. Sign and seal sensitive objects before transit

SEC17-J. Create and sign a SignedObject before creating a SealedObject

SEC18-J. Define wrappers around native methods

SEC19-J. Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar

SEC20-J. Do not expect java.lang.reflect.method.invoke() to behave as the immediate caller

Risk Assessment Summary

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

SEC00- J

high

probable

high

P6

L2

SEC01- J

medium

likely

medium

P12

L1

SEC02- J

medium

likely

high

P6

L2

SEC03- J

high

likely

low

P27

L1

SEC04- J

high

probable

medium

P12

L1

SEC05- J

high

probable

medium

P12

L1

SEC06- J

medium

likely

medium

P12

L1

SEC06- J

high

probable

medium

P12

L1

SEC07- J

medium

probable

low

P12

L1

SEC08- J

high

probable

medium

P12

L1

SEC09- J

high

probable

medium

P12

L1

SEC10- J

medium

probable

high

P4

L3

SEC11- J

high

probable

low

P18

L1

SEC12- J

high

likely

high

P9

L2

SEC13- J

high

likely

high

P9

L2

SEC14- J

medium

probable

high

P4

L3

SEC15- J

medium

likely

high

P6

L2

SEC16- J

medium

probable

high

P4

L3

SEC17- J

medium

likely

low

P18

L1

SEC18- J

medium

probable

high

P4

L3

SEC19- J

high

probable

medium

P12

L1


ENV10-J. Do not disable bytecode verification      The CERT Oracle Secure Coding Standard for Java      SEC00-J. Follow the principle of least privilege

  • No labels