Title: Rule AA. References  
Author: Fred Long Sep 14, 2007
Last Changed by: Robert Schiela Sep 15, 2022
Tiny Link: (useful for email) https://wiki.sei.cmu.edu/confluence/x/LDdGBQ
Export As: Word · PDF  
Incoming Links
Android (18)
    Page: DRD08-J. Always canonicalize a URL received by a content provider
    Page: DRD03-J. Do not broadcast sensitive information using an implicit intent
    Page: DRD13. Do not provide addJavascriptInterface method access in a WebView which could contain untrusted content. (API level JELLY_BEAN or below)
    Page: Applicability Test
    Page: DRD04-J. Do not log sensitive information
    Page: DRD14-J. Check that a calling app has appropriate permissions before responding
    Page: DRD05-J. Do not grant URI permissions on implicit intents
    Page: DRD06. Do not act on malicious intents
    Page: DRD16-X. Explicitly define the exported attribute for private components
    Page: DRD11. Ensure that sensitive data is kept secure
    Page: Applicable in Principle to Android (Java Rules/Recomendations)
    Page: DRD07-X. Protect exported services with strong permissions
    Page: DRD00. Do not store sensitive information on external storage (SD card) unless encrypted first
    Page: Unknown Applicability to Android (Java Rules/Recomendations)
    Page: DRD02-J. Do not allow WebView to access sensitive local resource through file scheme
    Page: DRD19. Properly verify server certificate on SSL/TLS
    Page: DRD20-C. Specify permissions when creating files via the NDK
    Page: DRD01-X. Limit the accessibility of an app's sensitive content provider
SEI CERT Oracle Coding Standard for Java (180)
    Page: MET04-J. Do not increase the accessibility of overridden or hidden methods
    Page: SER01-J. Do not deviate from the proper signatures of serialization methods
    Page: IDS04-J. Safely extract files from ZipInputStream
    Page: TPS01-J. Do not execute interdependent tasks in a bounded thread pool
    Page: IDS06-J. Exclude unsanitized user input from format strings
    Page: Leaking Capabilities
    Page: FIO14-J. Perform proper cleanup at program termination
    Page: Concurrency, Visibility, and Memory
    Page: SER05-J. Do not serialize instances of inner classes
    Page: MSC04-J. Do not leak memory
    Page: DCL01-J. Do not reuse public identifiers from the Java Standard Library
    Page: NUM09-J. Do not use floating-point variables as loop counters
    Page: Rule: Contents and Organization
    Page: Libraries
    Page: VNA05-J. Ensure atomicity when reading and writing 64-bit values
    Page: MET06-J. Do not invoke overridable methods in clone()
    Page: EXP06-J. Expressions used in assertions must not produce side effects
    Page: NUM10-J. Do not construct BigDecimal objects from floating-point literals
    Page: MSC06-J. Do not modify the underlying collection when an iteration is in progress
    Page: EXP03-J. Do not use the equality operators when comparing values of boxed primitives
    Page: OBJ58-J. Limit the extensibility of classes and methods with invariants
    Page: SER04-J. Do not allow serialization and deserialization to bypass the security manager
    Page: ERR05-J. Do not let checked exceptions escape from a finally block
    Page: SER06-J. Make defensive copies of private mutable components during deserialization
    Page: OBJ10-J. Do not use public static nonfinal fields
    Page: VNA01-J. Ensure visibility of shared references to immutable objects
    Page: THI05-J. Do not use Thread.stop() to terminate threads
    Page: ERR02-J. Prevent exceptions while logging data
    Page: MSC11-J. Do not let session information leak within a servlet
    Page: OBJ11-J. Be wary of letting constructors throw exceptions
    Page: LCK03-J. Do not synchronize on the intrinsic locks of high-level concurrency objects
    Page: FIO09-J. Do not rely on the write() method to output integers outside the range 0 to 255
    Page: IDS08-J. Sanitize untrusted data included in a regular expression
    Page: MET03-J. Methods that perform a security check must be declared private or final
    Page: NUM14-J. Use shift operators correctly
    Page: SER10-J. Avoid memory and resource leaks during serialization
    Page: MET00-J. Validate method arguments
    Page: SEC01-J. Do not allow tainted variables in privileged blocks
    Page: EXP05-J. Do not follow a write by a subsequent write or read of the same object within an expression
    Page: ERR07-J. Do not throw RuntimeException, Exception, or Throwable
    Page: JNI01-J. Safely invoke standard APIs that perform tasks using the immediate caller's class loader instance (loadLibrary)
    Page: OBJ02-J. Preserve dependencies in subclasses when changing superclasses
    Page: Denial of Service
    Page: FIO12-J. Provide methods to read and write little-endian data
    Page: OBJ09-J. Compare classes and not class names
    Page: SEC02-J. Do not base security checks on untrusted sources
    Page: STR00-J. Don't form strings containing partial characters from variable-width encodings
    Page: FIO10-J. Ensure the array is filled when using read() to fill an array
    Page: SEC00-J. Do not allow privileged blocks to leak sensitive information across a trust boundary
    Page: TPS03-J. Ensure that tasks executing in a thread pool do not fail silently
    Page: MET10-J. Follow the general contract when implementing the compareTo() method
    Page: NUM13-J. Avoid loss of precision when converting primitive integers to floating-point
    Page: ENV04-J. Do not disable bytecode verification
    Page: IDS01-J. Normalize strings before validating them
    Page: TPS04-J. Ensure ThreadLocal variables are reinitialized when using thread pools
    Page: MSC05-J. Do not exhaust heap space
    Page: SER09-J. Do not invoke overridable methods from the readObject() method
    Page: Privilege Escalation
    Page: STR50-J. Use the appropriate method for counting characters in a string
    Page: THI00-J. Do not invoke Thread.run()
    Page: STR51-J. Use the charset encoder and decoder classes when more control over the encoding process is required
    Page: OBJ05-J. Do not return references to private mutable class members
    Page: IDS00-J. Prevent SQL injection
    Page: NUM00-J. Detect or prevent integer overflow
    Page: MSC03-J. Never hard code sensitive information
    Page: ERR09-J. Do not allow untrusted code to terminate the JVM
    Page: OBJ04-J. Provide mutable classes with copy functionality to safely allow passing instances to untrusted code
    Page: MET01-J. Never use assertions to validate method arguments
    Page: EXP02-J. Do not use the Object.equals() method to compare two arrays
    Page: Rule: Priority and Levels
    Page: IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method
    Page: NUM11-J. Do not compare or inspect the string representation of floating-point values
    Page: SER00-J. Enable serialization compatibility during class evolution
    Page: LCK04-J. Do not synchronize on a collection view if the backing collection is accessible
    Page: NUM02-J. Ensure that division and remainder operations do not result in divide-by-zero errors
    Page: ENV06-J. Production code must not contain debugging entry points
    Page: IDS50-J. Use conservative file naming conventions
    Page: LCK10-J. Use a correct form of the double-checked locking idiom
    Page: Java Rules
    Page: MET11-J. Ensure that keys used in comparison operations are immutable
    Page: EXP01-J. Do not use a null in a case where an object is required
    Page: ERR04-J. Do not complete abruptly from a finally block
    Page: TSM02-J. Do not use background threads during class initialization
    Page: THI04-J. Ensure that threads performing blocking operations can be terminated
    Page: NUM03-J. Use integer types that can fully represent the possible range of unsigned data
    Page: ERR01-J. Do not allow exceptions to expose sensitive information
    Page: MET08-J. Preserve the equality contract when overriding the equals() method
    Page: MSC07-J. Prevent multiple instantiations of singleton objects
    Page: MET07-J. Never declare a class method that hides a method declared in a superclass or superinterface
    Page: STR02-J. Specify an appropriate locale when comparing locale-dependent data
    Page: ERR03-J. Restore prior object state on method failure
    Page: STR04-J. Use compatible character encodings when communicating string data between JVMs
    Page: ENV03-J. Do not grant dangerous combinations of permissions
    Page: LCK09-J. Do not perform operations that can block while holding a lock
    Page: NUM53-J. Use the strictfp modifier for floating-point calculation consistency across platforms
    Page: DCL61-J. Do not use raw types
    Page: Rule: Scope
    Page: IDS17-J. Prevent XML External Entity Attacks
    Page: VNA02-J. Ensure that compound operations on shared variables are atomic
    Page: TPS00-J. Use thread pools to enable graceful degradation of service during traffic bursts
    Page: FIO01-J. Create files with appropriate access permissions
    Page: LCK01-J. Do not synchronize on objects that may be reused
    Page: FIO06-J. Do not create multiple buffered wrappers on a single byte or character stream
    Page: NUM04-J. Do not use floating-point numbers if precise computation is required
    Page: THI02-J. Notify all waiting threads rather than a single thread
    Page: TSM01-J. Do not let the this reference escape during object construction
    Page: SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields
    Page: NUM08-J. Check floating-point inputs for exceptional values
    Page: MET09-J. Classes that define an equals() method must also define a hashCode() method
    Page: EXP04-J. Do not pass arguments to certain Java Collections Framework methods that are a different type than the collection parameter type
    Page: SEC07-J. Call the superclass's getPermissions() method when writing a custom class loader
    Page: NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data
    Page: VNA00-J. Ensure visibility when accessing shared primitive variables
    Page: MET12-J. Do not use finalizers
    Page: OBJ03-J. Prevent heap pollution
    Page: STR01-J. Do not assume that a Java char fully represents a Unicode code point
    Page: MET02-J. Do not use deprecated or obsolete classes or methods
    Page: SER03-J. Do not serialize unencrypted sensitive data
    Page: LCK08-J. Ensure actively held locks are released on exceptional conditions
    Page: LCK11-J. Avoid client-side locking when using classes that do not commit to their locking strategy
    Page: MSC01-J. Do not use an empty infinite loop
    Page: FIO02-J. Detect and handle file-related errors
    Page: Rule: Tool Selection and Validation
    Page: IDS16-J. Prevent XML Injection
    Page: DCL02-J. Do not modify the collection's elements during an enhanced for statement
    Page: LCK07-J. Avoid deadlock by requesting and releasing locks in the same order
    Page: NUM01-J. Do not perform bitwise and arithmetic operations on the same data
    Page: SEC06-J. Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar
    Page: FIO03-J. Remove temporary files before termination
    Page: SEC04-J. Protect sensitive operations with security manager checks
    Page: VNA04-J. Ensure that calls to chained methods are atomic
    Page: LCK00-J. Use private final lock objects to synchronize classes that may interact with untrusted code
    Page: SER02-J. Sign then seal objects before sending them outside a trust boundary
    Page: SER11-J. Prevent overwriting of externalizable objects
    Page: OBJ08-J. Do not expose private members of an outer class from within a nested class
    Page: FIO00-J. Do not operate on files in shared directories
    Page: ENV00-J. Do not sign code that performs only unprivileged operations
    Page: FIO05-J. Do not expose buffers or their backing arrays methods to untrusted code
    Page: Input Validation and Data Sanitization
    Page: NUM07-J. Do not attempt comparisons with NaN
    Page: ENV01-J. Place all security-sensitive code in a single JAR and sign and seal it
    Page: SEC03-J. Do not load trusted classes after allowing untrusted code to load arbitrary classes
    Page: SER08-J. Minimize privileges before deserializing from a privileged context
    Page: IDS03-J. Do not log unsanitized user input
    Page: ENV02-J. Do not trust the values of environment variables
    Page: Leaking Sensitive Data
    Page: ENV05-J. Do not deploy an application that can be remotely monitored
    Page: DCL00-J. Prevent class initialization cycles
    Page: FIO07-J. Do not let external processes block on IO buffers
    Page: ERR08-J. Do not catch NullPointerException or any of its ancestors
    Page: STR03-J. Do not encode noncharacter data as a string
    Page: NUM54-J. Do not use denormalized numbers
    Page: IDS11-J. Perform any string modifications before validation
    Page: LCK06-J. Do not use an instance lock to protect shared static data
    Page: OBJ07-J. Sensitive classes must not let themselves be copied
    Page: LCK05-J. Synchronize access to static fields that can be modified by untrusted code
    Page: TPS02-J. Ensure that tasks submitted to a thread pool are interruptible
    Page: FIO04-J. Release resources when they are no longer needed
    Page: SER07-J. Do not use the default serialized form for classes with implementation-defined invariants
    Page: Rule BB. Glossary
    Page: ERR06-J. Do not throw undeclared checked exceptions
    Page: Rule. Introduction
    Page: OBJ01-J. Limit accessibility of fields
    Page: OBJ06-J. Defensively copy mutable inputs and mutable internal components
    Page: JNI00-J. Define wrappers around native methods
    Page: Type Safety
    Page: THI03-J. Always invoke wait() and await() methods inside a loop
    Page: FIO16-J. Canonicalize path names before validating them
    Page: FIO13-J. Do not log sensitive information outside a trust boundary
    Page: MET05-J. Ensure that constructors do not call overridable methods
    Page: MSC02-J. Generate strong random numbers
    Page: VNA03-J. Do not assume that a group of calls to independently atomic methods is atomic
    Page: THI01-J. Do not invoke ThreadGroup methods
    Page: ERR00-J. Do not suppress or ignore checked exceptions
    Page: FIO08-J. Distinguish between characters or bytes read from a stream and -1
    Page: TSM00-J. Do not override thread-safe methods with methods that are not thread-safe
    Page: MSC00-J. Use SSLSocket rather than Socket for secure data exchange
    Page: TSM03-J. Do not publish partially initialized objects
    Page: LCK02-J. Do not synchronize on the class object returned by getClass()
    Page: EXP00-J. Do not ignore values returned by methods
SEI CERT C Coding Standard (1)
    Page: MSC19-C. For functions that return an array, prefer returning an empty array over a null value
Hierarchy
Parent Page
    Page: 4 Back Matter
Labels
Global Labels (2)
Outgoing Links
External Links (206)
    gceclub.sun.com.cn/java_one_online/2007/pdf/TS-2890.pdf
    java.sun.com/javase/6/docs/api/
    g.oswego.edu/dl/jmm/cookbook.html
    docs.oracle.com/javase/8/docs/technotes/guides/intl/encodin…
    developers.sun.com/learning/javaoneonline/2007/pdf/TS-2689.…
    www.w3.org/TR/REC-xml/#include-if-valid
    dx.doi.org/10.1109/SP.2006.29
    www.cs.umd.edu/class/spring2006/cmsc132/Slides/JMM06.pdf
    https://www.pcisecuritystandards.org/security_standards/ind…
    sourceforge.net/projects/owasp/files/Guide/2.0.1/OWASPGuide…
    docs.oracle.com/javase/6/docs/index.html
    developer.android.com/guide/practices/verifying-apps-art.ht…
    java.sun.com/security/seccodeguide.html
    docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/jni…
    www.jssec.org/dl/android_securecoding.pdf
    www.javaworld.com/javaworld/jw-10-2003/jw-1003-generics.htm…
    developers.sun.com/learning/javaoneonline/2007/pdf/TS-2707.…
    java.sun.com/docs/books/tutorial/index.html
    www.makeitfly.co.uk/Presentations/london-securecoding.pdf
    www.gnu.org/prep/standards/standards.html#Syntactic-Convent…
    mindprod.com/jgloss/jgloss.html
    https://intrepidusgroup.com/insight/2012/05/ndk-file-permis…
    www.ibm.com/developerworks/library/j-jtp05254.html
    portal.acm.org/citation.cfm?id=28718
    portal.acm.org/citation.cfm?doid=1693453.1693485
    www.cs.umd.edu/%7Epugh/java/memoryModel/
    www.artima.com/intv/solid.html
    doi.acm.org/10.1145/365230.365252
    www.sei.cmu.edu/library/abstracts/reports/09tr010.cfm
    portal.acm.org/citation.cfm?doid=286936.286945
    android-developers.blogspot.com/2011/11/jni-local-reference…
    dow.ngra.de/2009/02/16/the-ultimate-java-puzzler/
    portal.acm.org/citation.cfm?id=130616.130623
    developers.sun.com/learning/javaoneonline/sessions/2009/pdf…
    tomcat.apache.org/
    www.ambysoft.com/books/elementsJavaStyle.html
    www.unicode.org/versions/Unicode5.1.0/
    www.microsoft.com/mspress/books/5957.aspx
    download.java.net/jdk7/docs/
    World.com
    www.javaworld.com/javaworld/javaqa/2003-06/02-qa-0627-myths…
    www.onjava.com/pub/a/onjava/2005/01/26/classloading.html
    pubs.opengroup.org/onlinepubs/009695399/mindex.html
    docs.oracle.com/javase/6/docs/technotes/guides/security/per…
    www.ibm.com/developerworks/java/library/j-jtp0618.html
    java.sun.com/javase/6/docs/technotes/guides/management/inde…
    docs.sun.com/source/817-2180-10/
    docs.oracle.com/javase/specs/jls/se8/html/index.html
    docs.oracle.com/javase/8/docs/technotes/guides/collections/
    www.rgoarchitects.com/Files/fallacies.pdf
    www.stsc.hill.af.mil/crosstalk/2005/10/0510DanLo.html
    developer.android.com/training/articles/perf-jni.html
    java.sun.com/developer/JDCTechTips/2001/tt0130.html
    java.sun.com/javase/6/docs/technotes/tools/windows/java.htm…
    developers.sun.com/
    java.sun.com/j2se/1.5.0/docs/guide/reflection/index.html
    java.sun.com/javase/6/docs/index.html
    java.sun.com/javase/6/docs/technotes/guides/security/Policy…
    java.sun.com/developer/JDCTechTips/2004/tt0518.html#2
    www.oracle.com/technetwork/articles/java/compress-1565076.h…
    java.sun.com/javase/6/docs/technotes/guides/security/permis…
    gceclub.sun.com.cn/java_one_online/2006/TS-1238/TS-1238.pdf
    java.sun.com/j2se/1.4.2/docs/guide/misc/threadPrimitiveDepr…
    java.sun.com/j2se/1.5.0/docs/guide/jvmti/jvmti.html
    onjava.com/pub/a/onjava/2003/08/20/memoization.html
    www.ibm.com/developerworks/java/library/j-fv/index.html
    www.ibm.com/developerworks/java/library/j-jtp03216.html
    docs.oracle.com/javase/7/docs/api/
    cwe.mitre.org/
    java.sun.com/j2se/1.5.0/docs/guide/serialization/spec/seria…
    ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=4420062
    docs.oracle.com/javase/1.5.0/docs/guide/nio/
    www.ibm.com/developerworks/java/library/j-jtp11234/
    www.javaworld.com/javaworld/jw-09-1997/jw-09-hood.html?page…
    grouper.ieee.org/groups/754/
    www.pearsonhighered.com/educator/academic/product/0,,013239…
    www.telecom.ntua.gr/HTML.Tutorials/index.html
    www.javaworld.com/javaworld/jw-12-2000/jw-1229-traps.html
    developer.android.com/guide/index.html
    https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting…
    www.securityfocus.com/archive/1/297714
    tika.apache.org/index.html
    www.sei.cmu.edu/publications/documents/05.reports/05tn044.h…
    developer.android.com/reference/packages.html
    www.oracle.com/technetwork/articles/java/java8-optional-217…
    docs.oracle.com/javaee/6/api/javax/servlet/http/package-sum…
    www.ibm.com/developerworks/xml/library/x-xpathinjection.htm…
    www.javapractices.com/topic/TopicAction.do?Id=206
    www.cs.umd.edu/%7Epugh/java/memoryModel/jsr-133-faq.html#fi…
    https://www.owasp.org/index.php/Preventing_LDAP_Injection_i…
    java.sun.com/developer/onlineTraining/Programming/JDCBook/i…
    https://buildsecurityin.us-cert.gov/
    https://bugs.openjdk.java.net/secure/Dashboard.jspa
    www.rapid7.com/db/modules/exploit/multi/browser/java_atomic…
    mikeware.us/thesis/
    www.objectmentor.com/resources/articles/granularity.pdf
    www.onjava.com/pub/a/onjava/2001/04/26/midlet.html
    xlinux.nist.gov/dads/HTML/partialorder.html
    docs.oracle.com/javase/8/docs/api/
    https://www.owasp.org/index.php/Double_Encoding
    www.ibm.com/developerworks/java/library/j-jtp01274.html
    java.sun.com/javase/6/docs/technotes/guides/jweb/applet/app…
    reports-archive.adm.cs.cmu.edu/anon/isri2007/abstracts/07-1…
    java.sun.com/javase/technologies/hotspot/gc/gc_tuning_6.htm…
    www.unicode.org/reports/tr36/
    www.lookout.net/wp-content/uploads/2009/03/chris_weber_expl…
    tomcat.apache.org/tomcat-6.0-doc/changelog.html
    tomcat.apache.org/security-6.html
    developers.sun.com/learning/javaoneonline/sessions/2009/pdf…
    cve.mitre.org
    https://pms.cs.ru.nl/iris-diglib/src/getContent.php?id=2006…
    www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf
    https://www.owasp.org/images/8/89/OWASP_Top_10_2007_for_JEE…
    xlinux.nist.gov/dads/HTML/totalorder.html
    www.hpenterprisesecurity.com/vulncat/en/vulncat/java/j2ee_b…
    www.inter-locale.com/whitepaper/IUC27-a303.html
    www.jssec.org/dl/android_securecoding_en.pdf
    java.sun.com/javase/6/docs/technotes/guides/jvmti/index.htm…
    developers.sun.com/learning/javaoneonline/sessions/2009/pdf…
    java.sun.com/j2se/1.5.0/docs/guide/security/spec/security-s…
    www.w3.org/TR/geolocation-API/
    https://www.safaribooksonline.com/library/view/secure-codin…
    www.javaworld.com/javaworld/javaqa/2003-02/02-qa-0228-evilt…
    java.sun.com/javase/6/docs/technotes/guides/security/spec/s…
    www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/inde…
    www.reasoning.com/pdf/Tomcat_Defect_Report.pdf
    www.oracle.com/technetwork/java/seccodeguide-139067.html#9-…
    java.sun.com/developer/JDCTechTips/2005/tt0104.html
    www.unicode.org/versions/Unicode6.0.0/
    java.sun.com/docs/books/jvms/
    developers.sun.com/learning/javaoneonline/2007/pdf/TS-2594.…
    www.cs.umd.edu/%7Epugh/java/memoryModel/TS-754.pdf
    www.iplosion.com/papers/ruining_security_with_java.util.ran…
    www.ibm.com/developerworks/rational/library/05/0816_GuptaPa…
    findbugs.sourceforge.net/bugDescriptions.html
    www.oracle.com/technetwork/topics/security/alert-cve-2013-0…
    tools.ietf.org/html/rfc6749
    java.sun.com/j2se/1.5.0/docs/guide/language/generics.html
    www.onjava.com/pub/a/onjava/2003/11/19/exceptions.html
    java.sun.com/javase/6/docs/technotes/guides/reflection/inde…
    www.ibm.com/developerworks/java/library/j-jtp07265/index.ht…
    www.two-sdg.demon.co.uk/curbralan/papers/europlop/NullObjec…
    java.sun.com/javase/6/docs/technotes/guides/jni/index.html
    www.brouhaha.com/%7Eeric/software/mocha/
    java.sun.com/developer/technicalArticles/Programming/compre…
    https://viaforensics.com/resources/reports/best-practices-i…
    docs.oracle.com/javase/specs/jls/se7/html/index.html
    gceclub.sun.com.cn/java_one_online/2005/TS-3738/
    dl.acm.org/citation.cfm?doid=1814217.1814224
    https://people.eecs.berkeley.edu/~daw/papers/intents-mobisy…
    https://developer.android.com/training/articles/security-ti…
    www.c2.com/cgi/wiki?ReflectionOnInnerClasses
    java.sun.com/j2se/1.3/docs/guide/
    java.sun.com/developer/technicalArticles/Programming/serial…
    www.javaworld.com/javaworld/jw-01-2001/jw-0112-singleton.ht…
    java.sun.com/developer/TechTips/2000/tt0328.html
    www.old.netobjectdays.org/pdf/02/papers/industry/1430.pdf
    www.unicode.org/versions/Unicode6.2.0/
    www.cs.arizona.edu/%7Ecollberg/Research/Students/DouglasLow…
    developers.sun.com/learning/javaoneonline/sessions/2009/pdf…
    www.angelikalanger.com/GenericsFAQ/FAQSections/ProgrammingI…
    dc112.4shared.com/doc/6HMOFIdN/preview.html
    docs.oracle.com/cd/E26576_01/doc.312/e24936/tuning-java.htm…
    www.ibm.com/developerworks/java/library/j-jtp06197.html
    java.sun.com/javase/6/docs/technotes/guides/management/toc.…
    java.sun.com/j2se/1.5.0/docs/guide/jmx/index.html
    shipilev.net/blog/2014/safe-public-construction/
    secunia.com/advisories/
    blog.thetaphi.de/2012/07/default-locales-default-charsets-a…
    java.sun.com/j2se/1.5.0/docs/guide/jar/jar.html
    lars-lab.jpl.nasa.gov/JPL_Coding_Standard_Java.pdf
    immunityproducts.blogspot.com.ar/2012/08/java-0day-analysis…
    oauth.net/core/1.0a/
    www.fortify.com/vulncat/en/vulncat/index.html
    www.oreillynet.com/onjava/blog/2004/09/avoiding_checked_exc…
    dx.doi.org/10.1109/C-M.1981.220208
    ftp://ftp.estec.esa.nl/pub/wm/anonymous/wme/bssc/Java-Codin…
    lsd-pl.net/projects/
    web.mit.edu/Saltzer/www/publications/protection/
    download.oracle.com/javase/6/docs/technotes/guides/extensio…
    doi.acm.org/10.1145/956641.956647
    unicode.org/reports/tr15/
    https://docs.oracle.com/javaee/7/api/toc.htm
    download.java.net/jdk8/docs/technotes/guides/security/dopri…
    oreilly.com/catalog/javarmi/chapter/ch10.html
    www.blackhat.com/presentations/bh-usa-02/bh-us-02-schonefel…
    www.javaworld.com/javaworld/javatips/jw-javatip134.html?pag…
    docs.oracle.com/javase/7/docs/
    java.sun.com/docs/codeconv/
    developers.sun.com/learning/javaoneonline/2008/pdf/TS-6589.…
    docs.sun.com/source/806-3568/ncg_goldberg.html
    java.sun.com/javase/6/docs/technotes/guides/security/
    docs.oracle.com/cd/E26576_01/index.htm
    www.stylusstudio.com/api/xalan-j_2_6_0/org/apache/xpath/com…
    java.sun.com/javase/6/docs/technotes/guides/jpda/index.html
    developers.sun.com/learning/javaoneonline/2007/pdf/TS-2906.…
    www.cert.org/blogs/vuls/2008/06/signed_java_security_worse_…
    www.owasp.org/index.php/Main_Page
    www.cert.org/books/secure-coding
    jeremymanson.blogspot.ru/2008/12/benign-data-races-in-java.…
    docs.oracle.com/javase/6/docs/technotes/guides/security/cer…
    gafter.blogspot.com/
    docs.oracle.com/javase/7/docs/technotes/guides/security/cry…
    www.javaworld.com/javaworld/jw-12-1998/jw-12-securityrules.…
    www.cs.umd.edu/%7Epugh/java/memoryModel/jsr133.pdf
    msdn.microsoft.com/en-us/library/ms378045%28SQL.90%29.aspx