CERT Secure Coding Team Publishes Secure Coding Standard for Java
September 14, 2011— A team of software security researchers in the CERT Program at the SEI has authored The CERT® Oracle® Secure Coding Standard for Java. The book is published by Addison-Wesley Professional. This standard is the first comprehensive compilation of code-level requirements for developing secure systems in Java.
The CERT® Oracle® Secure Coding Standard for Java identifies and addresses the coding errors most likely to produce security vulnerabilities in Java programs. It also provides guidelines for avoiding these mistakes. Though focused on Java versions 7 SE and 6 SE, the authors note that programmers working in other Java versions will also find value in this standard. The coding standard was developed as a community project on the CERT Secure Coding wiki. Numerous industry experts contributed material and served as reviewers.
Speaking for the CERT secure coding team, Robert C. Seacord noted the secure coding standard for Java extends the line of work undertaken through the SEI’s Secure Coding Initiative. The CERT secure coding team has produced several standards, including Secure Coding in C and C++ (Addison-Wesley 2005) and The CERT C Secure Coding Standard (Addison-Wesley 2008).
“Conformance to these coding standards will allow developers to produce code that is free from those coding errors known to result in exploitable vulnerabilities,” said Seacord. “We want to establish a set of rules that allow programmers to produce secure software and systems.” Seacord also noted the secure coding standards establish a set of requirements for code security against which software can be evaluated.
Joining Seacord as co-authors of the The CERT® Oracle® Secure Coding Standard for Java are Dean F. Sutherland and David Svoboda, both members of the technical staff at the SEI. They are joined by SEI visiting scientists Fred Long, senior lecturer in computer science at Aberystwyth University in the United Kingdom, and Dhruv Mohindra, senior software engineer at Persistent Systems Limited, located in Pune, India. Thomas Hawtin, security engineer at Oracle Corporation, worked closely with the CERT team as it developed the standard. “The continual review and guidance Thomas provided were essential to producing a quality standard,” noted Seacord.
The secure coding team is already planning a follow-up book that will expand on the work of this initial standard. It is also currently developing The CERT C Secure Coding Standard, Version 2.0 and The CERT C++ Secure Coding Standard.
For more information about The CERT® Oracle® Secure Coding Standard for Java, and to read a sample chapter, visit http://www.informit.com/store/product.aspx?isbn=9780321803955 .
For more information about the secure coding research at CERT, visit http://www.cert.org/secure-coding/.
For more information