|No. of Pages:||744|
About the Book
The CERT Oracle Secure Coding Standard for Java provides rules designed to eliminate insecure coding practices that can lead to exploitable vulnerabilities. Application of the standard's guidelines will lead to higher-quality systems-robust systems that are more resistant to attack. Such guidelines are required for the wide range of products coded in Java-for devices such as PCs, game players, mobile phones, home appliances, and automotive electronics.After a high-level introduction to Java application security, seventeen consistently organized chapters detail specific rules for key areas of Java development. For each area, the authors present noncompliant examples and corresponding compliant solutions, show how to assess risk, and offer references for further information. Each rule is prioritized based on the severity of consequences, likelihood of introducing exploitable vulnerabilities, and cost of remediation.
ContentsChapter 1: Introduction Chapter 2: Input Validation and Data Sanitization (IDS)Chapter 3: Declarations and Initialization (DCL)Chapter 4: Expressions (EXP) Chapter 5: Numeric Types and Operations (NUM)Chapter 6: Object Orientation (OBJ) Chapter 7: Methods (MET) Chapter 8: Exceptional Behavior (ERR) Chapter 9: Visibility and Atomicity (VNA)Chapter 10: Locking (LCK)Chapter 11: Thread APIs (THI)Chapter 12: Thread Pools (TPS)Chapter 13: Thread-Safety Miscellaneous (TSM)Chapter 14: Input Output (FIO)Chapter 15: Serialization (SER)Chapter 16: Platform Security (SEC)Chapter 17: Runtime Environment (ENV)Chapter 18: Miscellaneous (MSC)
About the AuthorFred Longis a senior lecturer and director of learning and teaching in the Department of Computer Science, Aberystwyth University in the United Kingdom. He lectures on formal methods; Java, C++, and C programming paradigms and programming-related security issues. He is chairman of the British Computer Society's Mid-Wales Sub-Branch. Fred has been a Visiting Scientist at the Software Engineering Institute since 1992. Recently, his research has involved the investigation of vulnerabilities in Java.
Dhruv Mohindrais a senior software engineer at Persistent Systems Limited, India, where he develops monitoring software for widely used enterprise servers. He has worked for CERT at the Software Engineering Institute and continues to collaborate to improve the state of security awareness in the programming community.
Robert C. Seacordis a computer security specialist and writer. He is the author of books on computer security, legacy system modernization, and component-based software engineering.
Robert manages the Secure Coding Initiative at CERT, located in Carnegie Mellon's Software Engineering Institute in Pittsburgh, Pennsylvania.
Dean F. Sutherlandis a senior software security engineer at CERT. Dean received his Ph.D. in software engineering from Carnegie Mellon in 2008. Before his return to academia, he spent 14 years working as a professional software engineer at Tartan, Inc. He spent the last six of those years as a senior member of the technical staff and a technical lead for compiler backend technology.
David Svobodais a software security engineer at CERT. David has been the primary developer on a diverse set of software development projects at Carnegie Mellon since 1991, ranging from hierarchical chip modeling and social organization simulation to automated machine translation (AMT). His KANTOO AMT software, developed in 1996, is still in production use at Caterpillar. He has over 13 years of Java development experience, starting with Java 2, and his Java projects include Tomcat servlets and Eclipse plug-ins.