Book Review: The CERT Oracle Secure Coding Standard For Java

brothke writes "It has been a decade since Oracle started their unbreakable campaign touting the security robustness of their products. Aside from the fact that unbreakable only refers to the enterprise kernel; Oracle still can have significant security flaws. Even though Java supports very strong security controls including JAAS (Java Authentication and Authorization Services), it still requires a significant effort to code Java securely. With that The CERT Oracle Secure Coding Standard for Javais an invaluable guide that provides the reader with the strong coding guidelines and practices in order to reduce coding vulnerabilities that can lead to Java and Oracle exploits." Read on for the rest of Ben's review.

The CERT Oracle Secure Coding Standard for Java
author	Fred Long, Dhruv Mohindra, Robert Seacord, Dean Sutherland, David Svoboda
pages	744
publisher	Addison-Wesley Professional
rating	10/10
reviewer	Ben Rothke
ISBN	0321803957
summary	Definitive guide on the topic

The book is from CERT, and like other CERT books, provides both the depth and breadth necessary to gain mastery on the topic.

The first 100 pages of the book are available here. After reading it, you will be likely to want to see the next 650 pages.

This book provides a set of guidelines for secure programming in Java SE 6 and 7 environments. It is primarily targeted at software developers and computer security practitioners. While Java is inherently designed to be relatively secure as compared with other languages, it requires the developer to understand the security controls and language features thoroughly before he can implement them correctly. The book illustrates insecure coding practices and suggests corresponding safe alternatives to enable a developer to have an optimal blueprint.

Software developers are constantly under pressure to accommodate feature requests and have to strike a fine balance between enhancing delivery excellence and releasing a software product in consonance with deadlines. At the same time they routinely tackle technical challenges and often document their experience for the benefit of others. This book is one such effort, in that, several programmers and reviewers have contributed the contents. It encourages a developer to think beyond programming logic and enables him to produce clear, concise, maintainable and secure code – a mandatory requirement for today's dynamic software industry which is plagued by a spectrum of security threats and attrition's.

This book isn't for a Java beginner. The introductory chapter expects an intermediate or seasoned Java professional to identify the gamut of security vulnerabilities that frequently manifest in code and design. The chapter briefly explains injections attacks, unintended information disclosure, denial of service and issues involving concurrency and class loaders. Summary tables have been provided to assist the reader to easily locate representative secure coding rules for each category.

The examples presented primarily encompass the lang and util libraries of Java SE and also cover collections, concurrency, logging, management, reflection, regex, zip, I/O, JMX, JNI, math, serialization and JAXP libraries. No particular Java platform or technology has been favored; the set of rules is generic and independent of whether a mobile, enterprise, desktop or web application is being developed.

Notably, the layout enables the practitioner to pick up any chapter or rule at random without requiring him to read the preceding pages. Each rule has a short description of a unique problem and one or more non-compliant and compliant code examples. Risk assessment and references to other coding standards along with bibliography are also provided.

Unfortunately, the suggested tips for automatic detection of described problems aren't very practical because no automated bug detection tools have been vetted. Some rules also have a related vulnerabilities section that preys on weaknesses in commonplace software in context of the described problem.

Chapter 2 focuses on input validation and data sanitization. It highlights attacks such as SQL, XML, and OS injection and XML External Entity (XXE) and suggests corresponding mitigation techniques. It mentions but doesn't elaborate on web-based attacks such as cross-site scripting and CSRF, to avoid being too domain specific. The chapter advises developers to normalize strings, canonicalize and validate path names, refrain from logging unsanitized input, use appropriate internationalization and globalization APIs, avoid string encoding misgivings and other issues.

Chapters 3, 4 and 5 deal with declarations and class initialization, expressions, and numeric operations respectively. Dangers of auto-boxing, side-effects in assertions, integer overflow, and vagaries of floating point arithmetic are discussed at length.

The examples are short, to the point and intellectually challenging for the advanced reader. For example, one rule – don't use denormalized numbers dissects a vulnerability in Java 1.6 and earlier that allows an attacker to perform a denial of service attack by sending a crafted input to the JVM.

The book devotes a chapter to object-oriented programming and stresses on limiting extensibility of classes, encapsulating data, ensuring that code refactoring doesn't result in broken class hierarchies, using generics for fun and profit and so on.

Another chapter discusses Java methods, for example, one rule suggests that subclasses mustn't increase the accessibility of an overridden method. There is some useful information about using methods of Object class properly. This information is standard advice that can also be found in other books. This book offers all that and more. For example, one rule documents a convincing and exhaustive list of reasons why you shouldn't use finalizers.

The book also highlights misconstrued exception handling practices through examples akin to the shortcuts programmers invent, to save themselves from the trouble of having to handle exceptions. It explains why doing that can be insidious. Information disclosure arising from ill-conceived exception handling strategies is also discussed. Some may disagree with the advice on the pretext that exception handling when done the right way leads to unreadable code, however, the features presented from Java 7 convincingly offer a middle path. Further, when compliance with a certain rule is believed to be challenging and costly, the standard allows documented deviations and even lists valid exceptions for each rule.

Chapters 9, 10, 11, 12 and 13 are reserved for concurrency related issues. There are more than 30 rules in these chapters; the set could qualify as a handbook of concurrency issues and solutions. At a high level, the chapters cover visibility and atomicity, locking, thread class APIs, thread pools and thread safety in multi-threaded Java programs. The chapters don't assume that the reader has any familiarity with multi-threaded programming.

The next few chapters highlight input-output (I/O) risks such as working with shared directories, using files securely, closing resource handles properly, serialization and more. The book doesn't assume that the reader has a sophisticated background in serialization and builds from the basics. It cites examples of vulnerabilities that necessitate understanding the role of serialization.

A chapter on platform security follows, and is meant for advanced Java users. This chapter leads to another on runtime environment that cautions against signing code, granting permissions frivolously and permitting insecure deployment configurations. The final chapter captures miscellaneous rules that forbid hardcoding sensitive information, leaking memory, generating weak random numbers and writing insecure singletons among other topics.

Many other leading security standards delineate high-level measures that must be taken to ensure compliance but most fall short of prescribing the exact recipe to get there. This book fills that gap by approaching security from the ground-zero level upwards. However, it doesn't clearly specify to what extent the rules will help organizations meet the compliance goals proposed by other security standards. All the same, the eighteen crisp chapters of this book undeniably have the potential to help the software developer win the battle against software insecurity on his own terms.

For those using Java on Oracle and hoping to build secure applications, The CERT Oracle Secure Coding Standard for Javais a very useful resource that no programmer should be without.

Ben Rothkeis the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase The CERT Oracle Secure Coding Standard for Java from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.