Recommendations
SEC01-J. Be careful using doPrivileged
SEC02-J. Beware of standard APIs that may bypass Security Manager checks
SEC03-J. Beware of standard APIs that may use the immediate caller's class loader instance
SEC04-J. Beware of standard APIs that perform access checks against the immediate caller
SEC06-J. Assume that all Java clients can be reverse engineered, monitored, and modified
SEC07-J. Minimize accessibility
Rules
SEC30-J. Always use a Security Manager
SEC31-J. Never grant AllPermission
SEC32-J. Do not grant ReflectPermission with action suppressAccessChecks
SEC33-J. Define wrappers around native methods
SEC34-J. Do not allow the unauthorized construction of sensitive classes
SEC35-J. Provide mutable classes with a clone method
SEC36-J. Ensure that the bytecode verifier is applied to all involved code upon any modification
Risk Assessment Summary
Recommendations
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
SEC01-J |
medium |
probable |
high |
P4 |
L3 |
SEC02-J |
medium |
probable |
high |
P4 |
L3 |
SEC03-J |
medium |
probable |
high |
P4 |
L3 |
SEC04-J |
medium |
probable |
high |
P4 |
L3 |
SEC06-J |
medium |
probable |
high |
P4 |
L3 |
SEC07-J |
medium |
probable |
high |
P4 |
L3 |
Rules
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
SEC30-J |
high |
probable |
low |
P18 |
L1 |
SEC31-J |
high |
probable |
low |
P18 |
L1 |
SEC32-J |
high |
probable |
low |
P18 |
L1 |
SEC33-J |
medium |
probable |
high |
P4 |
L3 |
SEC34-J |
high |
probable |
high |
P6 |
L2 |
SEC35-J |
low |
unlikely |
medium |
P2 |
L3 |
SEC36-J |
medium |
probable |
high |
P4 |
L3 |