CERT
Skip to end of metadata
Go to start of metadata

The Java rules and recommendations in this wiki are a work in progress and reflect the current thinking of the secure coding community. Because this is a development website, many pages are incomplete or contain errors. As rules and recommendations mature, they are published in report or book form as official releases. These releases are issued as dictated by the needs and interests of the secure software development community.

Create a sign-in account if you want to comment on existing content. If you wish to be more involved and directly edit content on the site, you still need an account, but you'll also need to request edit privileges.   


 

Secure Java Coding Books

There are two books available that cover Java: one for rules and the other for guidelines.

The CERT Oracle Secure Coding Standard for Java provides rules for Java Platform Standard Edition 6 and Java SE 7.

 

 

Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs provides guidelines, recommendations, and examples to enable the creation of reliable, robust, fast, maintainable, and secure code.
Source Code Analysis Laboratory (SCALe)

SCALe offers conformance testing of Java language software systems against the CERT Oracle Secure Coding Standard for Java.

Contact Us

Contact us if you

  • have questions about the Secure Coding wiki
  • have recommendations for standards in development
  • want to request privileges to participate in standards development
Thank You!

We acknowledge the contributions of the following folks , and we look forward to seeing your name here as well.

Rules vs. Recomendations

This coding standard consists of rules and recommendations, collectively referred to as guidelines. Rules are meant to provide normative requirements for code, whereas recommendations are meant to provide guidance that, when followed, should improve the safety, reliability, and security of software systems. Learn more about the differences.

Linking to Our Pages

Link to guidelines using the Tiny Link under Tools→Link to this Page... (This URL will not change if the name of the guideline changes.)   

Information for Editors

  • To eliminate a section from the lists above, label it section and void.
  • To have a section listed as a recommendation, label it section and recommendation.
  • To have a section listed as a rule, label it section and rule.

 

7 Comments

  1. I would like to see a downloadable version of the Java Secure Coding Standard. Maybe a zip with HTML files or a all-in-one HTML file could be provided. PDF would also be nice. I am sure I am not the only one who is interested in this.

    1. PDF versions of The CERT Oracle Secure Coding Standard for Java are available from InformIT at http://www.informit.com/store/cert-oracle-secure-coding-standard-for-java-9780321803955

  2. Hi,

    We have tried to setup PMD rules to automatically detect non-conformities to these rules. Do you have a list of rules that can be 100 percent detected automatically? For us, there are many rules which create false positives. Also, do you have any particular advice on implementing automated detection?

    Thanks

    Paul

    1. Paul,

      We've implemented a few automated checkers for CERT rules. See http://keshmesh.cs.illinois.edu/. I'd be happy to learn more about your project? Which rules does your tool support? Are your checkers open source?

    2. Hi Paul,

      No, we do not have any such list. One of the problems is, as you point out, that "detected automatically" is really a relative term, based on tolerance for false positives. However, we are actively investigating this question by attempting to develop (heuristic) checkers for as many rules as possible.

      Regarding particular advice -- some rules have specific textual comments regarding the possibilities for automatic detection which might be useful. If you have questions regarding particular rules, please let us know which ones, and we'd be happy to give you what advice we can regarding automatic detection.

      I should be upfront with one disclaimer: while all rules are rated with remediation levels, and the definition of the remediation levels involves the potential for automatic checking for rule conformance, you should take those interpretations with a grain of salt. That is, while we stand by the remediation difficulty ratings in the abstract, the specific interpretations (in the introduction) in terms of automatic/manual detection/correction are not always applicable.  Rather, it is best to go by what, if anything, about automatic detection is mentioned in the textual discussion of the rule.

      Cheers

  3. Es un excelente libro The.CERT.Oracle.Secure.Coding.Standard.for.Java los felicto , muchas gracias desde Piura-Perú.