CERT-J

Summary

The SEI CERT® Oracle® Secure Coding Standard for Java™ provides rules designed to eliminate insecure coding practices that can lead to exploitable vulnerabilities. This standard, published in 2011, covers security issues.

Definitions

Definition	Requirements
CERTJ-IDS00-J. Prevent SQL injection	169. Use parameterized queries 173. Discard unsafe inputs
CERTJ-IDS01-J. Normalize strings before validating them	172. Encrypt connection strings
CERTJ-IDS03-J. Do not log unsanitized user input	080. Prevent log modification
CERTJ-IDS06-J. Exclude unsanitized user input from format strings	083. Avoid logging sensitive data
CERTJ-IDS14-J. Do not trust the contents of hidden form fields	181. Transmit data using secure protocols 030. Avoid object reutilization 032. Avoid session ID leakages
CERTJ-IDS16-J. Prevent XML injection	173. Discard unsafe inputs 342. Validate request parameters
CERTJ-IDS17-J. Prevent XML External Entity attacks	324. Control redirects
CERTJ-NUM00-J. Detect or prevent integer overflow	345. Establish protections against overflows
CERTJ-OBJ10-J. Do not use public static nonfinal fields	227. Display access notification
CERTJ-MET02-J. Do not use deprecated or obsolete classes or methods	325. Protect WSDL files
CERTJ-MET03-J. Methods that perform a security check must be declared private or final	158. Use a secure programming language
CERTJ-ERR01-J. Do not allow exceptions to expose sensitive information	359. Avoid using generic exceptions
CERTJ-LCK11-J. Avoid client-side locking when using classes that do not commit to their locking strategy	320. Avoid client-side control enforcement 026. Encrypt client-side session information
CERTJ-TSM00-J. Do not override thread-safe methods with methods that are not thread-safe	337. Make critical logic flows thread safe
CERTJ-TSM02-J. Do not use background threads during class initialization	346. Use initialization vectors once
CERTJ-FIO00-J. Do not operate on files in shared directories	280. Restrict service root directory 046. Manage the integrity of critical files
CERTJ-FIO01-J. Create files with appropriate access permissions	186. Use the principle of least privilege 341. Use the principle of deny by default
CERTJ-FIO03-J. Remove temporary files before termination	177. Avoid caching and temporary files 036. Do not deploy temporary files
CERTJ-FIO13-J. Do not log sensitive information outside a trust boundary	083. Avoid logging sensitive data
CERTJ-FIO14-J. Perform proper cleanup at program termination	183. Delete sensitive data securely
CERTJ-SER02-J. Sign then seal objects before sending them outside a trust boundary	151. Separate keys for encryption and signatures 178. Use digital signatures
CERTJ-SER12-J. Prevent deserialization of untrusted data	321. Avoid deserializing untrusted data
CERTJ-SEC04-J. Protect sensitive operations with security manager checks	378. Use of log management system 380. Define a password management tool
CERTJ-ENV02-J. Do not trust the values of environment variables	159. Obfuscate code
CERTJ-ENV06-J. Production code must not contain debugging entry points	078. Disable debugging events
CERTJ-MSC00-J. Use SSLSocket rather than Socket for secure data exchange	181. Transmit data using secure protocols
CERTJ-MSC02-J. Generate strong random numbers	223. Uniform distribution in random numbers
CERTJ-MSC04-J. Do not leak memory	164. Use optimized structures
CERTJ-MSC11-J. Do not let session information leak within a servlet	026. Encrypt client-side session information
CERTJ-DRD19-J. Properly verify server certificate on SSL/TLS	336. Disable insecure TLS versions
CERTJ-DRD15-J. Consider privacy concerns when using Geolocation API	213. Allow geographic location
CERTJ-STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator	044. Define an explicit charset

Last updated

2023/09/18