[javaone 2026] Secure Coding Guidelines for Java

Posted on by

Speaker: Andrew Gross

See the table of contents

General

  • Vulnerability – flaw or weakness that could be exploited to violates the system’s security policy
  • Design/Architecture – faulty assumptions, missing security mech
  • Implementation – insecure programming practices
  • Integration/test – config errors, vulnerability third party code
  • Deployment/release – missing third party patches

Cost of vulnerabilities

  • Remediation time/resources to fix/build/release
  • Intermediate response – migration, detection, incident response
  • Damage to reputation – PR, liability

Secure coding

  • Design/Architecture – training, threat modeling, missuse cases
  • Implementation – manual code review, static analysis
  • Integration/Test – dependency checkers, static analysis, runtime tesitng, negative testing
  • Deployment/release – vulnerability scanning, monitoring (ex: WAFs_, dependency patching, vulnerability remediation

Secure Coding Guidelines for Java SE doc

  • Guidlines at: https://www.oracle.com/java/technologies/javase/seccodeguide.html
  • covers – general guidelines and Java specific ones
  • Not meant to be comprehensive or a tutorial
  • Update as see problems, additional context, new security features like JEP 486 to disable the security manager
  • Gave examples of Security third party code, injection/inclusion, take care interpreting untrusted code, input validation, serialization/deserialization, filter untrusted serialized data

News

  • 2021 – remote code execution in log4j
  • 2021 – Confluence OGNL injection
  • 2022 – Cobalt Strike – simulator for red tools. Had XSS vulnerability. Client uses Swing so HTML could be rendered into UI.
  • 2022- Text4Shell
  • 2024: XZ Utils Backdoor. Malicious co-maintainer over several years. Was trying to put into httpd but discovered first
  • 2025: npm packages compromise. phishing
  • 2025 – deserialization – SAP NetWeaver, Cisco Unified Contact, NetIQ, SolarWinds, etc

Takeaways

  • Apply secure coding practices to eliminate and minimize impact of vulnerabilities
  • Consider security throughout the SDLC
  • Follow the Secure Coding Guidelines for Java

My take

I didn’t realize how closely this was going to be of presenting the guidelines document. Which I’ve read. So the session itself was fine, but I should have chosen a different one. The from the news part was more engaging for me. I was also surprised not to have any AI mentions. It wasn’t in the abstract, but affects the SDLC

Leave a Reply

Your email address will not be published. Required fields are marked *