...
Another acceptable solution involves using custom implementations of the writeObject(), writeReplace(), and writeExternal() methods that prevent sensitive fields from being written to the serialized stream.
...
If sensitive data can be serialized, it may be transmitted over an insecure link, or stored in an insecure location, or disclosed inappropriately.
...
Related Guidelines
CWE ID -499, "Serializable Class Containing Sensitive Data" | |
| CWE ID -502, "Deserialization of Untrusted Data" |
Secure Coding Guidelines for the Java Programming Language, Version 3.0 | Guideline 5-2 Guard sensitive data during serialization |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7ccd86acb4b36f8d-a20f6a42-4e314703-b36d85d7-83bb31afb8ce4c60230e0031"><ac:plain-text-body><![CDATA[ | [[Bloch 2005 | AA. Bibliography#Bloch 05]] | Puzzle 83: Dyslexic Monotheism | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3edd908248d2a7fb-952c8db4-428d4788-9d27971d-45af57be24040bd12e80756f"><ac:plain-text-body><![CDATA[ | [[Bloch 2001 | AA. Bibliography#Bloch 01]] | Item 1: Enforce the singleton property with a private constructor | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7e1c6effcc7df9d9-e19c8ce4-4ea04482-9109b312-5736f98fc9b24204937b5934"><ac:plain-text-body><![CDATA[ | [[Greanier 2000 | AA. Bibliography#Greanier 00]] | [Discover the secrets of the Java Serialization API | http://java.sun.com/developer/technicalArticles/Programming/serialization/] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="0e1e30f3d14e665b-247d6d0e-46aa453f-b778a439-60a15568d23d23a57f1bef42"><ac:plain-text-body><![CDATA[ | [[Harold 1999 | AA. Bibliography#Harold 99]] |
| ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d2771c1657d8b61f-cf3cd180-464744a3-a295b826-88aa2f40e73c2b83df702f23"><ac:plain-text-body><![CDATA[ | [[JLS 2005 | AA. Bibliography#JLS 05]] | [Transient modifier | http://java.sun.com/docs/books/jls/third_edition/html/classes.html#37020] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d7e5d24f1356cd46-1b729101-4fd14b2a-a7459011-57879be884f5e37f91b1a301"><ac:plain-text-body><![CDATA[ | [[Long 2005 | AA. Bibliography#Long 05]] | Section 2.4, Serialization | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="fb72142fccc2bafc-e70d4c24-403343e8-8c0a96bc-c7d186270cd908fa1859f099"><ac:plain-text-body><![CDATA[ | [[Sun 2006 | AA. Bibliography#Sun 06]] | "Serialization specification: A.4 Preventing Serialization of Sensitive Data" | ]]></ac:plain-text-body></ac:structured-macro> |
...