CERT-J | Compliance | Fluid Attacks Help

CERT-J

logo

Summary

The SEI CERT® Oracle® Secure Coding Standard for Java™ provides rules designed to eliminate insecure coding practices that can lead to exploitable vulnerabilities. This standard, published in 2011, covers security issues.

Definitions

Definition Requirements
IDS00-J. Prevent SQL injection 169. Use parameterized queries
173. Discard unsafe inputs
IDS01-J. Normalize strings before validating them 172. Encrypt connection strings
IDS03-J. Do not log unsanitized user input 080. Prevent log modification
IDS06-J. Exclude unsanitized user input from format strings 083. Avoid logging sensitive data
IDS14-J. Do not trust the contents of hidden form fields 030. Avoid object reutilization
032. Avoid session ID leakages
181. Transmit data using secure protocols
IDS16-J. Prevent XML injection 173. Discard unsafe inputs
342. Validate request parameters
IDS17-J. Prevent XML External Entity attacks 324. Control redirects
NUM00-J. Detect or prevent integer overflow 345. Establish protections against overflows
OBJ10-J. Do not use public static nonfinal fields 227. Display access notification
MET02-J. Do not use deprecated or obsolete classes or methods 325. Protect WSDL files
MET03-J. Methods that perform a security check must be declared private or final 158. Use a secure programming language
ERR01-J. Do not allow exceptions to expose sensitive information 359. Avoid using generic exceptions
LCK11-J. Avoid client-side locking when using classes that do not commit to their locking strategy 026. Encrypt client-side session information
320. Avoid client-side control enforcement
TSM00-J. Do not override thread-safe methods with methods that are not thread-safe 337. Make critical logic flows thread safe
TSM02-J. Do not use background threads during class initialization 346. Use initialization vectors once
FIO00-J. Do not operate on files in shared directories 046. Manage the integrity of critical files
280. Restrict service root directory
FIO01-J. Create files with appropriate access permissions 186. Use the principle of least privilege
341. Use the principle of deny by default
FIO03-J. Remove temporary files before termination 036. Do not deploy temporary files
177. Avoid caching and temporary files
FIO13-J. Do not log sensitive information outside a trust boundary 083. Avoid logging sensitive data
FIO14-J. Perform proper cleanup at program termination 183. Delete sensitive data securely
SER02-J. Sign then seal objects before sending them outside a trust boundary 151. Separate keys for encryption and signatures
178. Use digital signatures
SER12-J. Prevent deserialization of untrusted data 321. Avoid deserializing untrusted data
SEC04-J. Protect sensitive operations with security manager checks 378. Use of log management system
380. Define a password management tool
ENV02-J. Do not trust the values of environment variables 159. Obfuscate code
ENV06-J. Production code must not contain debugging entry points 078. Disable debugging events
MSC00-J. Use SSLSocket rather than Socket for secure data exchange 181. Transmit data using secure protocols
MSC02-J. Generate strong random numbers 223. Uniform distribution in random numbers
MSC04-J. Do not leak memory 164. Use optimized structures
MSC11-J. Do not let session information leak within a servlet 026. Encrypt client-side session information
DRD19-J. Properly verify server certificate on SSL/TLS 336. Disable insecure TLS versions
DRD15-J. Consider privacy concerns when using Geolocation API 213. Allow geographic location
STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator 044. Define an explicit charset
Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.