Last month, noted reported Dan Goodin wrote in Security of Java takes a dangerous turn for the worse that people need to beware of increasingly advanced Java exploits. He noted that Java, installed on some three billion devices worldwide, is taking a turn for the worse, thanks to an uptick in attacks targeting vulnerabilities that will never be patched and increasingly sophisticated exploits.
While Java insecurity may seem inevitable, it does not have to be, thanks to a great new book out. Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs is a follow-up to The CERT Oracle Secure Coding Standard for Java, which I reviewed here.
It is hard to find a company today that does not have at least a few developers coding in Java. Many large enterprises have scores of Java developers. While Java has robust security controls, they are only as robust as they are correctly implemented.
The book has 75 guidelines in which to write secure Java code. Each guideline includes detailed requirements for compliance and example of non-compliant code to avoid, which is included.
While some of the guidelines are obvious, such as not storing unencrypted sensitive information on the client side and storing passwords using a hash function, many of them are new to the uninitiated Java programmer, which is why this book is greatly needed.
A sample of the book, chapter 2, is available here.
This book should be in the hands of anyone that codes in Java. If a developer is not trained to write secure code, it’s inevitable that their code will be insecure.
James Gosling, the creator of Java writes in the forward that Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs highlights the fact that information security is not a feature; rather it’s an attitude toward taking due care at every point. Gosling found that the book is full of excellent guidance for dealing with those details. Take his word for it and get a copy.