SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 104

changes.mady.by.user Will Snavely

Saved on

compared with

New Version Current

changes.mady.by.user Michal Rozenau

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft Jtest 2020.2

...

Use of plain sockets fails to provide any guarantee of the confidentiality and integrity of data transmitted over those sockets.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MSC00-J

Medium

Likely

High

P6

L2

Automated Detection

The general case of automated detection appears to be infeasible because determining which specific data may be passed through the socket is not statically computable. An approach that introduces a custom API for passing sensitive data via secure sockets may be feasible. User tagging of sensitive data is a necessary requirement for such an approach.

ToolVersionCheckerDescription
Parasoft Jtest
Include Page
java:
Parasoft_V
java:
Parasoft_V
SECURITY.WSC.USC
Implemented
Use the SSL-enabled version of classes when possible

Related Guidelines

MITRE CWE

CWE-311, Failure to Encrypt Sensitive Data

Bibliography

[API 2014]

Class Socket

[Gong 2003]

Section 11.3.3, "Securing RMI Communications"

[Ware 2008]

 

...



...