The CERT Oracle Secure Coding Standard for Java


Posted on by Ben Rothke

My review of this book originally appeared at http://books.slashdot.org/story/11/11/30/2216218/book-review-the-cert-oracle-secure-coding-standard-for-java

It has been a decade since Oracle started their unbreakable campaign  touting the security robustness of their products. Aside from the fact  that unbreakable only refers to the enterprise kernel; Oracle still can  have significant security flaws. Even though Java supports very strong  security controls including JAAS (Java Authentication and Authorization  Services), it still requires a significant effort to code Java securely.  With that The CERT Oracle Secure Coding Standard for Java is an  invaluable guide that provides the reader with the strong coding  guidelines and practices in order to reduce coding vulnerabilities that  can lead to Java and Oracle exploits. 

The book is from CERT, and like other CERT books, provides both the depth and breadth necessary to gain mastery on the topic.  

The first 100 pages of the book are available here. After reading it, you will be likely to want to see the next 650 pages.  

This  book provides a set of guidelines for secure programming in Java SE 6  and 7 environments. It is primarily targeted at software developers and  computer security practitioners. While Java is inherently designed to be  relatively secure as compared with other languages, it requires the  developer to understand the security controls and language features  thoroughly before he can implement them correctly. The book illustrates  insecure coding practices and suggests corresponding safe alternatives  to enable a developer to have an optimal blueprint.  

Software  developers are constantly under pressure to accommodate feature requests  and have to strike a fine balance between enhancing delivery excellence  and releasing a software product in consonance with deadlines. At the  same time they routinely tackle technical challenges and often document  their experience for the benefit of others. This book is one such  effort, in that, several programmers and reviewers have contributed the  contents. It encourages a developer to think beyond programming logic  and enables him to produce clear, concise, maintainable and secure code –  a mandatory requirement for today's dynamic software industry which is  plagued by a spectrum of security threats and attrition's. 

This  book isn't for a Java beginner. The introductory chapter expects an  intermediate or seasoned Java professional to identify the gamut of  security vulnerabilities that frequently manifest in code and design.  The chapter briefly explains injections attacks, unintended information  disclosure, denial of service and issues involving concurrency and class  loaders. Summary tables have been provided to assist the reader to  easily locate representative secure coding rules for each category.  

The  examples presented primarily encompass the lang and util libraries of  Java SE and also cover collections, concurrency, logging, management,  reflection, regex, zip, I/O, JMX, JNI, math, serialization and JAXP  libraries. No particular Java platform or technology has been favored;  the set of rules is generic and independent of whether a mobile,  enterprise, desktop or web application is being developed.  

Notably,  the layout enables the practitioner to pick up any chapter or rule at  random without requiring him to read the preceding pages. Each rule has a  short description of a unique problem and one or more non-compliant and  compliant code examples. Risk assessment and references to other coding  standards along with bibliography are also provided.  

Unfortunately,  the suggested tips for automatic detection of described problems aren't  very practical because no automated bug detection tools have been  vetted. Some rules also have a related vulnerabilities section that  preys on weaknesses in commonplace software in context of the described  problem.  

Chapter 2 focuses on input validation and data  sanitization. It highlights attacks such as SQL, XML, and OS injection  and XML External Entity (XXE) and suggests corresponding mitigation  techniques. It mentions but doesn't elaborate on web-based attacks such  as cross-site scripting and CSRF, to avoid being too domain specific.  The chapter advises developers to normalize strings, canonicalize and  validate path names, refrain from logging unsanitized input, use  appropriate internationalization and globalization APIs, avoid string  encoding misgivings and other issues.  

Chapters 3, 4 and 5 deal  with declarations and class initialization, expressions, and numeric  operations respectively. Dangers of auto-boxing, side-effects in  assertions, integer overflow, and vagaries of floating point arithmetic  are discussed at length. 

The examples are short, to the point  and intellectually challenging for the advanced reader. For example, one  rule – don't use denormalized numbers dissects a vulnerability in Java  1.6 and earlier that allows an attacker to perform a denial of service  attack by sending a crafted input to the JVM. 

The book devotes a  chapter to object-oriented programming and stresses on limiting  extensibility of classes, encapsulating data, ensuring that code  refactoring doesn't result in broken class hierarchies, using generics  for fun and profit and so on.

Another chapter discusses Java  methods, for example, one rule suggests that subclasses mustn't increase  the accessibility of an overridden method. There is some useful  information about using methods of Object class properly. This  information is standard advice that can also be found in other books.  This book offers all that and more. For example, one rule documents a  convincing and exhaustive list of reasons why you shouldn't use  finalizers. 

The book also highlights misconstrued exception  handling practices through examples akin to the shortcuts programmers  invent, to save themselves from the trouble of having to handle  exceptions. It explains why doing that can be insidious. Information  disclosure arising from ill-conceived exception handling strategies is  also discussed. Some may disagree with the advice on the pretext that  exception handling when done the right way leads to unreadable code,  however, the features presented from Java 7 convincingly offer a middle  path. Further, when compliance with a certain rule is believed to be  challenging and costly, the standard allows documented deviations and  even lists valid exceptions for each rule. 

Chapters 9, 10, 11,  12 and 13 are reserved for concurrency related issues. There are more  than 30 rules in these chapters; the set could qualify as a handbook of  concurrency issues and solutions. At a high level, the chapters cover  visibility and atomicity, locking, thread class APIs, thread pools and  thread safety in multi-threaded Java programs. The chapters don't assume  that the reader has any familiarity with multi-threaded programming.  

The  next few chapters highlight input-output (I/O) risks such as working  with shared directories, using files securely, closing resource handles  properly, serialization and more. The book doesn't assume that the  reader has a sophisticated background in serialization and builds from  the basics. It cites examples of vulnerabilities that necessitate  understanding the role of serialization. 

A chapter on platform  security follows, and is meant for advanced Java users. This chapter  leads to another on runtime environment that cautions against signing  code, granting permissions frivolously and permitting insecure  deployment configurations. The final chapter captures miscellaneous  rules that forbid hardcoding sensitive information, leaking memory,  generating weak random numbers and writing insecure singletons among  other topics.  

Many other leading security standards delineate  high-level measures that must be taken to ensure compliance but most  fall short of prescribing the exact recipe to get there. This book fills  that gap by approaching security from the ground-zero level upwards.  However, it doesn't clearly specify to what extent the rules will help  organizations meet the compliance goals proposed by other security  standards. All the same, the eighteen crisp chapters of this book  undeniably have the potential to help the software developer win the  battle against software insecurity on his own terms.  

For those using Java on Oracle and hoping to build secure applications, The CERT Oracle Secure Coding Standard for Java is a very useful resource that no programmer should be without.


Contributors
Ben Rothke

Senior Information Security Manager, Tapad

data security

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs