Book Review: The CERT Oracle Secure Coding Standard for Java
About the Book
The CERT Oracle Secure Coding Standard for Java is a huge compilation of best practices for coding bug-free and secure Java applications. The book is broken up into chapters which focus on a specific area of programming or design. Each chapter is then further broken up into individual sections that represent best practices. Each best practice is given a unique identifier along with an example or examples of non-compliant and compliant code. The book weighs in at around 700 pages and can be read front to back or used as a reference for any particular topic.
The Audience/Skill Level
The book covers a broad range of programming topics and should be readable by anyone with basic knowledge of Java and security.
I work as a lead software engineer developing in Java on a day-to-day basis. I’m a big advocate of coding standards and I often promote them to my junior developers as I truly believe they lead to an overall better (and secure) product. When I heard about this book, I was eager to read it as I don’t think security is as heavily focused as it should be in the Java realm. My initial browsing through the book was promising. I really liked how the authors provided a non-compliant and compliant example in every situation. My hopes were set high.
This book is like Effective Java by Joshua Bloch on steroids. It’s an excellent reference for a number of best practices that people have developed over years and years of using Java. While I enjoyed reading the book and will be keeping it at my desk for a reference, my only plight with it is perhaps the title. My expectations were to read best practices as they pertained to Java and security, however, the book is mainly focused on how to avoid common bugs in Java and Java APIs that could potentially lead to programming errors. Those programming errors in turn may or may not lead to security vulnerabilities and sometimes the authors do not make that clear.
Those criticisms aside, I did find Chapter 6 and Chapter 15 of the book to be of particular interest to security. Chapter 6 is focused on object orientation and Chapter 15 is focused on serialization.
Chapter 6 talks about things like maliciously subclassing code and passing the malicious instance to an implementation to control its execution. The book heavily advocates defensive copying to prevent such attacks. Another interesting part of Chapter 6 is about finalizer attacks. Using the standard finalize() method in Java, it’s possible to construct an otherwise uncontructable object (e.g. because security constraints weren’t passed) by stealing a reference to it in the finalize() method.
Chapter 15 focuses on several of the attacks that are made possible by serialization. One of the weak points of Java security, in my opinion, is it’s native serialization. Particularly, the book focuses on how serialization can violate program invariants if not programmed properly (e.g. more than one instance of a Singleton). It also touches on a very important deserialization attack (CVE-2008-5353) where deserializing objects in a doPrivileged block can result in arbitrary code execution.
In summary, I would recommend this book to any Java professional as a basis for a coding standard for their project but security enthusiasts might find the material lacking.
I would like to thank Fred Long for providing me the copy of this book to review. Thanks a lot Fred – it was fun.
Comments are closed.