“Java Secure Coding Guidelines for Java SE”
Speaker: Andrew Gross
For more blog posts from JavaOne, see the table of contents
This was the first Oracle talk I saw. It had the Oracle disclaimer. I was impressed he only showed it for 5 seconds. “It was there”!
References:
- Oracle Secure Coding Guide
- OWASP Top 10
- SANS Top 25
- CWE Mitre – bad examples/anti-patterns
- CERT Secure Coding – book and wiki examples
Mutability
- make copies of data for output/input
- copy list so know type/order as well
- equals can be override so don’t trust identity equality
- Java 8 adds unmodifiable view of list
- Java 9 actually adds immutable collection with List.of()
Object construction
- May need to protect if object isn’t completely created but have data to secure
- Throwing an exception from a constructor does not protect from obtaining if finalize overridden
- Making final helps
- Use initialized field and don’t set fields until clean
- Since Java 6, object guaranteed to be destroyed if exception thrown before super() called
Serialization
- Avoid if security sensitive and guard sensitive data
- Adds a hidden constructor
- Lambdas can be serializiable [how? and they don’t have data anyway?]
- Do not deserialize untrusted data. ex: microservices
- Java 9 added a filter that can be invoked during deserialization so can limit based on what is expected
Access Control
- Confused deputy – you can’t go to bank and ask for a million dollars. But if bank manager does on your behalf, he/she can. Confused deputy is where more privilege code does something on less privileged code’s behalf
Oracle security announcements are going to start including module names so can determine if affected.
My take: I mostly mentally checked out halfway through. This was really dry. I did learn that the Secure Coding Guidelines exist which means I can read it at some point. It didn’t help that he said to hold all questions; that would have broken it up a little and added some perspective.