Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs

Posted on by Ben Rothke

Last month, noted reported Dan Goodin wrote in Security of Java takes a dangerous turn for the worse that people need to beware of increasingly advanced Java exploits. He noted that Java, installed on some three billion devices worldwide, is taking a turn for the worse, thanks to an uptick in attacks targeting vulnerabilities that will never be patched and increasingly sophisticated exploits.

While Java insecurity may seem inevitable, it does not have to be, thanks to a great new book out.  Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs is a follow-up to The CERT Oracle Secure Coding Standard for Java, which I reviewed here.


It is hard to find a company today that does not have at least a few developers coding in Java. Many large enterprises have scores of Java developers.  While Java has robust security controls, they are only as robust as they are correctly implemented.

The book has 75 guidelines in which to write secure Java code.  Each guideline includes detailed requirements for compliance and example of non-compliant code to avoid, which is included.

While some of the guidelines are obvious, such as not storing unencrypted sensitive information on the client side and storing passwords using a hash function, many of them are new to the uninitiated Java programmer, which is why this book is greatly needed.

A sample of the book, chapter 2, is available here.

This book should be in the hands of anyone that codes in Java.  If a developer is not trained to write secure code, it’s inevitable that their code will be insecure. 

James Gosling, the creator of Java writes in the forward that Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs highlights the fact that information security is not a feature;  rather it’s an attitude toward taking due care at every point.   Gosling found that the book is full of excellent guidance for dealing with those details.  Take his word for it and get a copy. 

ISBN 978-0321933157

Ben Rothke

Senior Information Security Manager, Tapad

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs