CERT-J

The SEI CERT® Oracle® Secure Coding Standard for Java™ provides rules designed to eliminate insecure coding practices that can lead to exploitable vulnerabilities. This standard, published in 2011, covers security issues.

Control-Requirement Mapping

Definition	Requirements
IDS00-J. Prevent SQL injection	169. Use parameterized queries 173. Discard unsafe inputs
IDS01-J. Normalize strings before validating them	172. Encrypt connection strings
IDS03-J. Do not log unsanitized user input	080. Prevent log modification
IDS06-J. Exclude unsanitized user input from format strings	083. Avoid logging sensitive data
IDS14-J. Do not trust the contents of hidden form fields	181. Transmit data using secure protocols 030. Avoid object reutilization 032. Avoid session ID leakages
IDS16-J. Prevent XML injection	173. Discard unsafe inputs 342. Validate request parameters
IDS17-J. Prevent XML External Entity attacks	324. Control redirects
NUM00-J. Detect or prevent integer overflow	345. Establish protections against overflows
OBJ10-J. Do not use public static nonfinal fields	227. Display access notification
MET02-J. Do not use deprecated or obsolete classes or methods	325. Protect WSDL files
MET03-J. Methods that perform a security check must be declared private or final	158. Use a secure programming language
ERR01-J. Do not allow exceptions to expose sensitive information	359. Avoid using generic exceptions
LCK11-J. Avoid client-side locking when using classes that do not commit to their locking strategy	320. Avoid client-side control enforcement 026. Encrypt client-side session information
TSM00-J. Do not override thread-safe methods with methods that are not thread-safe	337. Make critical logic flows thread safe
TSM02-J. Do not use background threads during class initialization	346. Use initialization vectors once
FIO00-J. Do not operate on files in shared directories	280. Restrict service root directory 046. Manage the integrity of critical files
FIO01-J. Create files with appropriate access permissions	186. Use the principle of least privilege 341. Use the principle of deny by default
FIO03-J. Remove temporary files before termination	177. Avoid caching and temporary files 036. Do not deploy temporary files
FIO13-J. Do not log sensitive information outside a trust boundary	083. Avoid logging sensitive data
FIO14-J. Perform proper cleanup at program termination	183. Delete sensitive data securely
SER02-J. Sign then seal objects before sending them outside a trust boundary	151. Separate keys for encryption and signatures 178. Use digital signatures
SER12-J. Prevent deserialization of untrusted data	321. Avoid deserializing untrusted data
SEC04-J. Protect sensitive operations with security manager checks	378. Use of log management system 380. Define a password management tool
ENV02-J. Do not trust the values of environment variables	159. Obfuscate code
ENV06-J. Production code must not contain debugging entry points	078. Disable debugging events
MSC00-J. Use SSLSocket rather than Socket for secure data exchange	181. Transmit data using secure protocols
MSC02-J. Generate strong random numbers	223. Uniform distribution in random numbers
MSC04-J. Do not leak memory	164. Use optimized structures
MSC11-J. Do not let session information leak within a servlet	026. Encrypt client-side session information
DRD19-J. Properly verify server certificate on SSL/TLS	336. Disable insecure TLS versions
DRD15-J. Consider privacy concerns when using Geolocation API	213. Allow geographic location
STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator	044. Define an explicit charset

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.