Leaking Sensitive Data
A system's security policy determines which information is sensitive. Sensitive data may include user information such as social security or credit card numbers, passwords, or private keys. When components with differing degrees of trust share data, the data are said to flow across a trust boundary. Because Java allows components under different trusted domains to communicate with each other, data can be transmitted across a trust boundary. Systems must ensure that data is not transmitted to a component in a different trusted domain, if authorized users in that domain are not permitted access to the data.
Figure 1.2. Filtering Data.
Java software components provide many opportunities to output sensitive information. Rules that address the mitigation of sensitive information disclosure include:
| Content by Label | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Type Safety
| Wiki Markup |
|---|
Java is widely considered to be a type-safe language \[[LSOD 02|AA. Bibliography#LSOD 02]\]. For that reason, it should not be possible to compromise a Java program by misusing the type system. To see why type safety is so important, consider the following types: |
...
A field that is declared public may be directly accessed by any part of a Java program and may be modified from anywhere in a Java program (unless the field is declared final). Clearly, sensitive information must not be stored in a public field, as it could be compromised by anyone who could access the JVM running the program.
Java software components provide many opportunities to output sensitive information. Rules that address the mitigation of sensitive information disclosure include:
...