A must-read for all Java developers. . . . Every developer has a responsibility to author code that is free of significant security vulnerabilities. This book provides realistic guidance to help Java developers implement desired functionality with security, reliability, and maintainability goals in mind. Mary Ann Davidson, Chief Security Officer, Oracle Corporation Organizations worldwide rely on Java code to perform mission-critical tasks, and therefore that code must be reliable, robust, fast, maintainable, and secure. Java Coding Guidelines brings together expert guidelines, recommendations, and code examples to help you meet these demands. Written by the same team that brought you The CERT Oracle Secure Coding Standard for Java, this guide extends that previous works expert security advice to address many additional quality attributes. Youll find 75 guidelines, each presented consistently and intuitively. For each guideline, conformance requirements are specified; for most, noncompliant code examples and compliant solutions are also offered. The authors explain when to apply each guideline and provide references to even more detailed information. Reflecting pioneering research on Java security, Java Coding Guidelines offers updated techniques for protecting against both deliberate attacks and other unexpected events. Youll find best practices for improving code reliability and clarity, and a full chapter exposing common misunderstandings that lead to suboptimal code. With a Foreword by James A. Gosling, Father of the Java Programming Language
Index Terms
- Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs
Recommendations
Rohit Bahl
This well-articulated book serves as a companion to The CERT Oracle secure coding standard for Java [1]. Presently, there is an urgency to both recognize and address vulnerabilities that stem from coding practices, and unfortunately they are seldom taken into account. This book provides 75 recommendations, applicable to various scenarios that would assist in developing production code devoid of common fatal and unintentional security vulnerabilities. The content of this book clearly demonstrates the skill set of the authors in the security domain. There are five chapters, and the content under each of these classifications is not mutually exclusive. The authors keep a consistent narrative, where each coding best practice corresponding to the recommendation adheres to the discipline of providing an introduction to the scenario. This scenario introduction is then followed by a code snippet that realizes the scenario, but is fraught with gotchas and caveats. The coding snippet is subsequently critiqued and followed by an exemplary code snippet that showcases the correct way to code, while circumventing programming-related security vulnerabilities. Chapter 1, “Security,” provides 21 recommendations that range from strategies describing safeguards against lightweight directory access protocol (LDAP), XPath, and code injection, to other more common scenarios to watch against, including cloning and object's equals functionality. There are also some seemingly obvious recommendations, such as ”prevent arbitrary file upload” and “do not use insecure encryption algorithms.” In chapter 2, “Defensive Programming,” the authors deal with an art too easily lost by the wayside by astute developers sprinting toward project deadlines. This chapter accentuates the many different facets presented in the book and I think it will be one of the best received. The sections on scope variable minimization and numeric behavior promotion are very interesting. Recommending that constants not be declared public final might seem a little out of place in this chapter. Chapter 3 delivers recommendations addressing reliability. It provides good advice such as using the same type for the second and third operands, and runtime error detection without assertions. Some recommendations in this chapter seem more geared toward performance, such as the use of exceptions for exception handling and the removal of short-lived objects from long-running containers. In chapter 4, the authors offer many good suggestions pertaining to code readability, which could assist in preventing the creation of security loopholes in the product. The 15 or so recommendations are valuable, and some of them-for example, “use braces for the body of an if, for, or while statement”-are pieces of wisdom we have encountered in many other computer programming texts. This chapter may not appeal to those highly skilled programmers who have a penchant for writing terse and convoluted compound syntactic structures. Chapter 5, “Programmer Misconceptions,” is very informative, even for those who just want to appreciate the nuances of the Java language. The manner in which thread safety, sleep/yield, and volatile references are mentioned makes it very palatable for every level of programmer. I would recommend adding this book to one's arsenal alongside Effective Java [2]. The book is equally targeted at computer programming professionals who need to use it as a reference, as well as students of computer science. The structure of narration and the modularization of recommendations eases traversal across various advisories and allows for the quicker assimilation of information. Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.