Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.java.programmer > #4701

Re: The CERT Oracle Secure Coding Standard for Java

Show all headers | View raw

In article <irq910$vd8$1@speranza.aioe.org>,
 "Nasser M. Abbasi" <nma@12000.org> wrote:

> On 5/27/2011 10:44 AM, rCs wrote:
> > The CERT Oracle Secure Coding Standard for Java has been completed and
> > is now ready for 
> > https://www.securecoding.cert.org/confluence/display/java/The+CERT+Oracle+Se
> > cure+Coding+Standard+for+Java.
> >
> > The CERT Oracle Secure Coding Standard for Java provides rules for 
> > secure coding in the Java programming language. The goal of these 
> > rules is to eliminate insecure coding practices that can lead to 
> > exploitable vulnerabilities.
> >
> > To review, you can create an account on the wiki and then post
> > comments to any of the pages, or respond directly to me.
> 
> I thought Java was already secured? i.e. no buffer overflow
> problems like with C, and the sandbox thing for applets and
> all of that. I did not know that Java can be not secured before.
> 
> But, would it be not better, if the language can be defined
> so that these remaining security holes that can make it not
> secure be closed at the language definition level, instead of
> having set of rules, that one need to print out and hang on
> the wall to look at while coding?  This way the compiler  job
> to spot them, not the programmer. Much better.
> 
> Just asking, that is all.

This related thread

<http://groups.google.com/group/comp.lang.ada/browse_frm/thread/bb14f1c1986544fb/>

adduced many of the same helpful responses seen in this thread itself:

<http://groups.google.com/group/comp.lang.java.programmer/browse_frm/thread/ed6b7366b0df754a>

One document mentioned there was particularly comprehensive: NASA 
Software Safety Guidebook:

<http://www.hq.nasa.gov/office/codeq/doctree/871913.pdf>

FindBugs is especially handy for highlighting potential violations:

<http://findbugs.sourceforge.net/>

-- 
John B. Matthews
trashgod at gmail dot com
<http://sites.google.com/site/drjohnbmatthews>

Back to comp.lang.java.programmer | Previous | Next — Previous in thread | Next in thread | Find similar

Thread

The CERT Oracle Secure Coding Standard for Java rCs <rcs@sei.cmu.edu> - 2011-05-27 10:44 -0700
  Re: The CERT Oracle Secure Coding Standard for Java Jeff Higgins <jeff@invalid.invalid> - 2011-05-27 18:43 -0400
    Re: The CERT Oracle Secure Coding Standard for Java Arved Sandstrom <asandstrom3minus1@eastlink.ca> - 2011-05-27 19:49 -0300
      Re: The CERT Oracle Secure Coding Standard for Java Lawrence D'Oliveiro <ldo@geek-central.gen.new_zealand> - 2011-05-28 16:31 +1200
        Re: The CERT Oracle Secure Coding Standard for Java Lew <noone@lewscanon.com> - 2011-05-28 00:45 -0400
    Re: The CERT Oracle Secure Coding Standard for Java rCs <rcs@sei.cmu.edu> - 2011-06-02 06:14 -0700
  Re: The CERT Oracle Secure Coding Standard for Java "Nasser M. Abbasi" <nma@12000.org> - 2011-05-28 00:42 -0700
    Re: The CERT Oracle Secure Coding Standard for Java Eric Sosman <esosman@ieee-dot-org.invalid> - 2011-05-28 09:07 -0400
    Re: The CERT Oracle Secure Coding Standard for Java Daniele Futtorovic <da.futt.news@laposte-dot-net.invalid> - 2011-05-28 15:10 +0200
    Re: The CERT Oracle Secure Coding Standard for Java Arved Sandstrom <asandstrom3minus1@eastlink.ca> - 2011-05-28 10:35 -0300
    Re: The CERT Oracle Secure Coding Standard for Java "John B. Matthews" <nospam@nospam.invalid> - 2011-05-29 16:17 -0400
  Re: The CERT Oracle Secure Coding Standard for Java Abu Yahya <abu_yahya@invalid.com> - 2011-06-08 20:52 +0530
    Re: The CERT Oracle Secure Coding Standard for Java Abu Yahya <abu_yahya@invalid.com> - 2011-06-08 20:55 +0530

csiph-web