You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 32 Next »

Recommendations

FIO00-J. Validate deserialized objects

FIO01-J. Canonicalize path names originating from untrusted sources

FIO02-J. Use Runtime.exec() correctly

FIO04-J. Understand the limitations of the logging framework

FIO05-J. Document character encoding while performing file IO

FIO06-J. Validate user input

FIO07-J. Do not assume infinite heap space when reading in data

Rules

FIO31-J. Create a copy of mutable inputs

FIO32-J. Do not serialize sensitive data

FIO33-J. Do not allow serialization and deserialization to bypass the Security Manager

FIO34-J. Ensure all resources are properly closed when they are no longer needed

FIO35-J. Exclude user input from format strings

FIO36-J. Never hardcode sensitive information

Risk Assessment Summary

Recommendations

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

FIO00-J

medium

probable

high

P4

L3

FIO01-J

high

probable

high

P6

L2

FIO02-J

high

probable

high

P6

L2

FIO06-J

medium

probable

high

P4

L3

Rules

Rules

Severity

Likelihood

Remediation Cost

Priority

Level

FIO31-J

medium

probable

high

P4

L3

FIO32-J

medium

likely

high

P6

L2

FIO33-J

high

probable

high

P6

L2

FIO35-J

medium

probable

high

P4

L3


OBJ35-J. Use checked collections against external code      CERT Java Secure Coding Standard      FIO00-J. Validate deserialized objects

  • No labels