The CERT Oracle Secure Coding Standard for Java, 1e

A must read

Massive detail, a little dull but that's the nature of the subject :)

"The CERT Oracle Secure Coding Standard for Java" is a thoroughly researched and authoritative guide to secure coding in Java. It specifically focuses on Java SE 6 and some of the features of Java SE 7, so don't look for coverage of security best practices for Java EE and certainly not for web application security issues that target aspects of HTTP, HTML, or JavaScript (e.g., Cross-Site Scripting, Cross-Site Request Forgery, etc.). The book actually goes beyond guidance for coding a secure application, providing insight into building a solid, high quality application. Indeed, in the Preface it notes that the goal of the rules is to help developers build "higher quality systems that are safe, secure, reliable, dependable, robust, resilient, available, and maintainable".The coding standards are provided as a clearly documented set of rules, each one including some summary information about the rule, code examples of the rule not being followed as well as code that does follow the rule, enumerated exceptions where it's permissible to deviate from the rule, and lastly a risk assessment of the vulnerability that arises when you don't follow the rule. The list of rules is extensive, so the authors have helpfully grouped them into the following categories:* Input Validation and Data Sanitization* Declarations and Initialization* Expressions* Numeric Types and Operations* Object Orientation* Methods* Exceptional Behavior (i.e., proper usage and handling of exceptions)* Visibility and Atomicity* Locking* Thread APIs* Thread Pools* Thread-Safety Miscellaneous* Input Output* Serialization* Platform Security* Runtime Environment* MiscellaneousThis presentation format lends itself to a very organized and comprehensive treatment of the subject, but doesn't make it the type of book that you can easily read from cover to cover. It would be fair to say that it reads more like a reference book that's tremendously useful when you're interested in practical secure Java coding practices for a specific area rather than as a training guide. Before finding that specific topic of interest, however, it would be wise to read the excellent introductory chapter. The introduction provides overviews of each of the principle sources of vulnerabilities in Java applications: misplaced trust; injection attacks (including a very helpful explanation of the appropriate use and sequencing of validation, sanitization, canonicalization, and normalization); leaking sensitive data; leaking capabilities; denial of service; serialization; concurrency, visibility, and memory; security managers; and class loaders.It's also important to note that many of the rules focus on how to write mobile code that can be safely executed in untrusted systems or how to use untrusted mobile code on trusted systems. In these cases, the attacker is writing code that interacts with your code and takes advantage of vulnerabilities you have left by not following the prescribed rules. This attacker context is quite different from that of an external hacker trying to take advantage of flaws in a web site, for example.Although the book is probably best used as a reference guide in which you'll seek out a topic of interest rather than read from front to back, it's undeniably a highly valuable contribution to the topic of secure Java coding. As such, it's a useful addition to the bookshelves of Java architects, developers, and application security auditors.

Nice reference material, but not very useful for the average developer. It has an small introductory chapter on secure coding practices and the remaining of the book is a list of common vulnerabilities and a short advise on how to avoid them, but it lacks details on how to identify and address them or on how the developers should change their programming practices to avoid introducing them in the first place. If you are looking for a book to help you code secure applications, you should look somewhere else.

Well-written book. Serves its purpose that my team is using it for. Every sprint they choose new security standards to address (and automate) and this book is a big help in that regard. Easy to dissect and find useful information.