The CERT Oracle Secure Coding Standard for Java (Paperback)

Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda

  • 出版商: Addison Wesley
  • 出版日期: 2011-09-08
  • 定價: $1,925
  • 售價: 8.0$1,540
  • 語言: 英文
  • 頁數: 744
  • 裝訂: Paperback
  • ISBN: 0321803957
  • ISBN-13: 9780321803955
  • 相關分類: Java 程式語言Oracle
  • 立即出貨 (庫存 < 3)

買這商品的人也買了...

商品描述

 


“In the Java world, security is not viewed as an add-on a feature. It is a pervasive way of thinking. Those who forget to think in a secure mindset end up in trouble. But just because the facilities are there doesn’t mean that security is assured automatically. A set of standard practices has evolved over the years. The Secure® Coding® Standard for Java™ is a compendium of these practices. These are not theoretical research papers or product marketing blurbs. This is all serious, mission-critical, battle-tested, enterprise-scale stuff.”

James A. Gosling, Father of the Java Programming Language

 

An essential element of secure coding in the Java programming language is a well-documented and enforceable coding standard. Coding standards encourage programmers to follow a uniform set of rules determined by the requirements of the project and organization, rather than by the programmer’s familiarity or preference. Once established, these standards can be used as a metric to evaluate source code (using manual or automated processes).

 

The CERT® Oracle® Secure Coding Standard for Java™ provides rules designed to eliminate insecure coding practices that can lead to exploitable vulnerabilities. Application of the standard’s guidelines will lead to higher-quality systems–robust systems that are more resistant to attack. Such guidelines are required for the wide range of products coded in Java–for devices such as PCs, game players, mobile phones, home appliances, and automotive electronics.

 

After a high-level introduction to Java application security, seventeen consistently organized chapters detail specific rules for key areas of Java development. For each area, the authors present noncompliant examples and corresponding compliant solutions, show how to assess risk, and offer references for further information. Each rule is prioritized based on the severity of consequences, likelihood of introducing exploitable vulnerabilities, and cost of remediation.

 

The standard provides secure coding rules for the Java SE 6 Platform including the Java programming language and libraries, and also addresses new features of the Java SE 7 Platform. It describes language behaviors left to the discretion of JVM and compiler implementers, guides developers in the proper use of Java’s APIs and security architecture, and considers  security concerns pertaining to standard extension APIs (from the javax package hierarchy).The standard covers security issues applicable to these libraries: lang, util, Collections, Concurrency Utilities, Logging, Management, Reflection, Regular Expressions, Zip, I/O, JMX, JNI, Math, Serialization, and JAXP.

商品描述(中文翻譯)

在Java世界中,安全性不被視為一個附加功能,而是一種普遍的思維方式。那些忘記以安全思維來思考的人最終會陷入麻煩。但僅僅因為有相關設施存在,並不意味著安全性能夠自動確保。多年來,一套標準的實踐方法已經演變出來。《Java安全編碼標準》是這些實踐方法的匯總。這些方法不是理論研究論文或產品營銷宣傳詞。這是一切嚴肅、任務關鍵、經過實戰考驗、企業級的東西。

——James A. Gosling,Java程式語言之父

在Java程式語言中,安全編碼的一個重要元素是一個有著明確文檔且可執行的編碼標準。編碼標準鼓勵程式設計師遵循一套統一的規則,這些規則是根據項目和組織的需求確定的,而不是根據程式設計師的熟悉程度或偏好。一旦確立了這些標準,就可以將其用作評估源代碼的指標(使用手動或自動化的過程)。

《CERT Oracle Java安全編碼標準》提供了旨在消除可能導致可利用漏洞的不安全編碼實踐的規則。遵循該標準的指導方針將產生更高質量的系統,這些系統更能抵抗攻擊。這些指導方針適用於使用Java編碼的各種產品,包括個人電腦、遊戲機、手機、家用電器和汽車電子設備。

在對Java應用程式安全性進行高層次介紹之後,十七個組織有序的章節詳細介紹了Java開發的特定領域的具體規則。對於每個領域,作者提供了不符合規範的示例和相應的符合規範的解決方案,展示了如何評估風險,並提供了進一步資訊的參考。每個規則的優先級基於後果的嚴重性、引入可利用漏洞的可能性以及修復的成本。

該標準提供了Java SE 6平台的安全編碼規則,包括Java程式語言和庫,並且還涵蓋了Java SE 7平台的新功能。它描述了由JVM和編譯器實現者自行決定的語言行為,指導開發人員正確使用Java的API和安全架構,並考慮與標準擴展API(來自javax包層次結構)相關的安全問題。該標準涵蓋了以下庫的安全問題:lang、util、Collections、Concurrency Utilities、Logging、Management、Reflection、Regular Expressions、Zip、I/O、JMX、JNI、Math、Serialization和JAXP。