SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 299

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version 300

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Anchor
Abadi 96Abadi 96
[Abadi 1996] Abadi, Martin, and Roger Needham. Prudent Engineering Practice for Cryptographic Protocols. IEEE Transactions on Software Engineering 22(1):6–15 (1996). AnchorAPI 06
API 11
API 11

[API 2011API 06 [API 2006] Java Platform, Standard Edition 6 7 API Specification. Oracle (2006/2011).

Anchor
Black 04
Black 04API 11API 11

[API 2011] Java Platform, Standard Edition 7 API Specification. Oracle (2011). AnchorAustin 00Austin 00 [Austin 2000] Austin, Calvin, and Monica Pawlan. Advanced Programming for the Java 2 Platform. Boston: Addison-Wesley Longman (2000). AnchorBlack 04Black 04 [Black 2004] Black, Paul E., and Paul Black 2004] Black, Paul E., and Paul J. Tanenbaum. "Partial order." In Dictionary of Algorithms and Data Structures [online]. Paul E. Black, ed., U.S. National Institute of Standards and Technology (2004).

Anchor
Bloch 01
Bloch 01Black 06Black 06

[Black 2006Bloch 2001] Black, Paul E., and Paul J. Tanenbaum. "Total order." In Dictionary of Algorithms and Data Structures [online]. Paul E. Black, ed., U.S. National Institute of Standards and Technology (2006). AnchorBloch 01Bloch 01 [Bloch 2001] Bloch, Joshua. Bloch, Joshua. Effective Java: Programming Language Guide. Boston: Addison-Wesley (2001).

Anchor
Bloch 05
Bloch 05

[Bloch 2005] Bloch, Joshua, and Neal Gafter. Java Puzzlers: Traps, Pitfalls, and Corner Cases. Upper Saddle River, NJ: Addison-Wesley (2005).

Anchor
Bloch 0708
Bloch 0708

[Bloch 20072008] Bloch, Joshua. Effective Java™ Reloaded: This Time It's (Not) for Real. JavaOne Conference (2007Java, 2nd ed. Upper Saddle River, NJ: Addison-Wesley (2008).

Anchor
Campione 96
Campione 96Bloch 08Bloch 08

[Bloch 2008] Bloch, Joshua. Effective Java, 2nd ed. Upper Saddle River, NJCampione 1996] Campione, Mary, and Kathy Walrath. The Java Tutorial: Object-Oriented Programming for the Internet. Reading, MA: Addison-Wesley (20081996).

Anchor
Chan 99
Chan 99Bloch 09Bloch 09

[Bloch 2009Chan 1999] Bloch, JoshuaChan, Patrick, Rosanna Lee, and Neal Gafter. Return of the Puzzlers: Schlock and Awe. JavaOne Conference (2009Douglas Kramer. The Java Class Libraries: Supplement for the Java 2 Platform, v1.2, 2nd ed., vol. 1. Upper Saddle River, NJ: Prentice Hall (1999).

Anchor
Cohen 81
Cohen 81Boehm 05Boehm 05

[Boehm 2005Cohen 1981] BoehmCohen, Hans-J. Finalization, Threads, and the Java™ Technology-Based Memory Model. JavaOne Conference (2005D. On Holy Wars and a Plea for Peace, IEEE Computer, 14(10):48–54 (1981).

Anchor
Conventions 09
Conventions 09Campione 96Campione 96

[Campione 1996] Campione, Mary, and Kathy Walrath. The Java Tutorial: Object-Oriented Programming for the Internet. Reading, MA: Addison-Wesley (1996Conventions 2009] Code Conventions for the Java Programming Language. Oracle (2009).

Anchor
Coomes 07
Coomes 07CCITT 88CCITT 88

[CCITT 1988] CCITT (International Telegraph and Telephone Consultative Committee). CCITT Blue Book: Recommendation X.509 and IS0 9594-8: The Directory-Authentication Framework. Geneva: International Telecommunication Union (1988Coomes 2007] Coomes, John, Peter Kessler, and Tony Printezis. Garbage Collection-Friendly Programming. Java SE Garbage Collection Group, Sun Microsystems, JavaOne Conference (2007).

Anchor
Chan 99Chan 99
[Chan 1999] Chan, Patrick, Rosanna Lee, and Douglas Kramer. The Java Class Libraries: Supplement for the Java 2 Platform, v1.2, 2nd ed., vol. 1.
Core Java 04
Core Java 04

[Core Java 2004] Horstmann, Cay S., and Gary Cornell. Core Java™ 2, Vol. I: Fundamentals, 7th ed. Upper Saddle River, NJ: Prentice Hall PTR (19992004).

Anchor
Chess Coverity 07Chess
Coverity 07

[Chess 2007] Chess, Brian, and Jacob West. Secure Programming with Static Analysis. Upper Saddle River, NJ: Addison-Wesley Professional (2007)Coverity 2007] Coverity Prevent User's Manual (3.3.0). 2007.

Anchor
Daconta 03
Daconta 03Christudas 05Christudas 05

[Christudas 2005] Christudas, Binildas. Internals of Java Class Loading, ONJava (2005Daconta 2003] Daconta, Michael C., Kevin T. Smith, Donald Avondolio, and W. Clay Richardson. More Java Pitfalls. Indianapolis: Wiley (2003).

Anchor
Davis 08
Davis 08Cohen 81Cohen 81

[Cohen 1981] Cohen, D. On Holy Wars and a Plea for Peace, IEEE Computer, 14(10):48–54 (1981). AnchorConventions 09Conventions 09 [Conventions 2009] Code Conventions for the Java Programming Language. Oracle (2009). AnchorCoomes 07Coomes 07 [Coomes 2007] Coomes, John, Peter Kessler, and Tony Printezis. Garbage Collection-Friendly Programming. Java SE Garbage Collection Group, Sun Microsystems, JavaOne Conference (2007). AnchorCore Java 04Core Java 04 [Core Java 2004] Horstmann, Cay S., and Gary Cornell. Core Java™ 2, Vol. I: Fundamentals, 7th ed. Upper Saddle River, NJ: Prentice Hall PTR (2004). AnchorCoverity 07Coverity 07 [Coverity 2007] Coverity Prevent User's Manual (3.3.0). 2007. AnchorCunningham 95Cunningham 95 [Cunningham 1995] Cunningham, Ward. The CHECKS Pattern Language of Information Integrity. In Pattern Languages of Program Design, James O. Coplien and Douglas C. Schmidt, eds. Reading, MA: Addison-Wesley (1995). AnchorDaconta 00Daconta 00 [Daconta 2000] Daconta, Michael C. When Runtime.exec() Won't. JavaWorld.com (2000). AnchorDaconta 03Daconta 03 [Daconta 2003] Daconta, Michael C., Kevin T. Smith, Donald Avondolio, and W. Clay Richardson. More Java Pitfalls. Indianapolis: Wiley (2003). AnchorDarwin 04Darwin 04 [Darwin 2004] Darwin, Ian F. Java Cookbook, 2nd ed. Sebastopol, CA: O’Reilly (2004). AnchorDavis 08Davis 08 [Davis 2008] Davis, Mark, and Ken Whistler. Unicode Standard Annex #15: Unicode Normalization Forms (2008). AnchorDavis 08bDavis 08b [Davis 2008b] Davis, Mark, and Michel Suignard. Unicode Technical Report #36, Unicode Security Considerations (2008). AnchorDennis 1966Dennis 1966 [Dennis 1966] Dennis, Jack B., and Earl C. Van Horn. 1966. Programming Semantics for Multiprogrammed Computations. Communications of the ACM, 9(3):143–155 (1966). doi: 10.1145/365230.365252. AnchorDHS 06DHS 06 [DHS 2006] U.S. Department of Homeland Security. Build Security In (2006/2011). AnchorDormann 08Dormann 08 [Dormann 2008] Dormann, Will. Signed Java Applet Security: Worse Than ActiveX? CERT Vulnerability Analysis Blog (2008). AnchorDoshi 03Doshi 03 [Doshi 2003] Doshi, Gunjan. Best Practices for Exception Handling. ONJava (2003). AnchorDougherty 2009Dougherty 2009 [Dougherty 2009] Dougherty, Chad, Kirk Sayre, Robert C. Seacord, David Svoboda, and Kazuya Togashi. Secure Design Patterns. CMU/SEI-2009-TR-010 (2009). AnchorEclipse 08Eclipse 08 [Eclipse 2008] Eclipse Platform, The Eclipse Foundation (2008). AnchorEncodings 06Encodings 06 [Encodings 2006] Supported Encodings, Oracle (2006/2011). AnchorEnterprise 03Enterprise 03 [Enterprise 2003] Eckstein, Robert. Java Enterprise Best Practices. Sebastopol, CA: O'Reilly (2003). AnchorESA 05ESA 05 [ESA 2005] ESA (European Space Agency). Java Coding Standards. Prepared by ESA Board for Software Standardisation and Control (BSSC) (2005). AnchorFairbanks 07Fairbanks 07 [Fairbanks 2007] Fairbanks, George. Design Fragments. PhD thesis, Carnegie Mellon University (2007). AnchorFindBugs 08FindBugs 08 [FindBugs 2008] FindBugs Bug Descriptions (2008/2011). AnchorFisher 03Fisher 03 [Fisher 2003] Fisher, Maydene, Jon Ellis, and Jonathan Bruce. JDBC API Tutorial and Reference, 3rd ed. Upper Saddle River, NJ: Prentice Hall (2003). AnchorFlanagan 05Flanagan 05 [Flanagan 2005] Flanagan, David. Java in a Nutshell, 5th ed. Sebastopol, CA: O'Reilly Media (2005). AnchorFortify 08Fortify 08 [Fortify 2008] Fortify Software Security Research Group with Gary McGraw. A Taxonomy of Coding Errors That Affect Security (see Java/JSP) (2008/2011). AnchorFox 01Fox 01 [Fox 2001] Fox, Joshua. When Is a Singleton Not a Singleton? JavaWorld (2001). AnchorFT 08FT 08 [FT 2008] Function Table: Class FunctionTable, Field Detail, public static FuncLoader m_functions. Apache XML Project (2008). AnchorGafter 06Gafter 06 [Gafter 2006] Gafter, Neal. Neal Gafter's blog (2006). AnchorGamma 95Gamma 95 [Gamma 1995] Gamma, Erich, Richard Helm, Ralph Johnson, and John M. Vlissides. Design Patterns: Elements of Reusable Object-Oriented Software. Reading, MA: Addison-Wesley (1995). AnchorGarms 01Garms 01 [Garms 2001] Garms, Jess, and Daniel Somerfield. Professional Java Security. Birmingham, UK: Wrox Press (2001). AnchorGNU 13GNU 13 [GNU 2013] GNU Coding Standards, §5.3, "Clean Use of C Constructs." (GNU Coding Standards were written by Richard Stallman and other GNU Project volunteers.) (2013). AnchorGoetz 02Goetz 02 [Goetz 2002] Goetz, Brian. Java Theory and Practice: Safe Construction Techniques: Don't Let the "this" Reference Escape during Construction. IBM developerWorks (2002). AnchorGoetz 04Goetz 04 [Goetz 2004] Goetz, Brian. Java Theory and Practice: Garbage Collection and Performance: Hints, Tips, and Myths about Writing Garbage Collection-Friendly Classes. IBM developerWorks (2004). AnchorGoetz 04bGoetz 04b

[Goetz 2005a] Goetz, Brian. Java Theory and Practice: Be a Good (Event) Listener, Guidelines for Writing and Supporting Event Listeners. IBM developerWorks (2005).

Davis 2008] Davis, Mark, and Ken Whistler. Unicode Standard Annex #15: Unicode Normalization Forms (2008).

 

Anchor
Dennis 1966
Dennis 1966

[Dennis 1966] Dennis, Jack B., and Earl C. Van Horn. 1966. Programming Semantics for Multiprogrammed Computations. Communications of the ACM, 9(3):143–155 (1966). doi: 10.1145/365230.365252.

Anchor
Dougherty 2009
Dougherty 2009

[Dougherty 2009] Dougherty, Chad, Kirk Sayre, Robert C. Seacord, David Svoboda, and Kazuya Togashi. Secure Design Patterns. CMU/SEI-2009-TR-010 (2009).

Anchor
ESA 05
ESA 05

[ESA 2005] ESA (European Space Agency). Java Coding Standards. Prepared by ESA Board for Software Standardisation and Control (BSSC) (2005).

Anchor
FindBugs 08
FindBugs 08

[FindBugs 2008] FindBugs Bug Descriptions (2008/2011).

Anchor
Flanagan 05
Flanagan 05

[Flanagan 2005] Flanagan, David. Java in a Nutshell, 5th ed. Sebastopol, CA: O'Reilly Media (2005).

Anchor
Fortify 08
Fortify 08

[Fortify 2008] Fortify Software Security Research Group with Gary McGraw. A Taxonomy of Coding Errors That Affect Security (see Java/JSP) (2008/2011).

Anchor
GNU 13
GNU 13

[GNU 2013] GNU Coding Standards, §5.3, "Clean Use of C Constructs." (GNU Coding Standards were written by Richard Stallman and other GNU Project volunteers.) (2013).

Anchor
Goetz 04
Goetz 04

[Goetz 2004] Goetz, Brian. Java Theory and Practice: Garbage Collection and Performance: Hints, Tips, and Myths about Writing Garbage Collection-Friendly Classes. IBM developerWorks (2004).

Anchor
Goetz 06
Goetz 06

[Goetz 2006] Goetz, Brian, Tim Peierls, Joshua Bloch, Joseph Bowbeer, David Holmes, and Doug Lea. Java Concurrency in Practice. Upper Saddle River, NJ: Addison-Wesley Professional (2006).

Anchor
Goetz 07
Goetz 07

[Goetz 2007] Goetz, Brian. Java Theory and Practice: Managing Volatility: Guidelines for Using Volatile Variables. IBM developerWorks (2006).

Anchor
Gong 03
Gong 03

[Gong 2003] Gong, Li, Gary Ellison, and Mary Dageforde. Inside Java 2 Platform Security: Architecture, API Design, and Implementation, 2nd ed. Upper Saddle River, NJ: Prentice Hall (2003).

Anchor
Goodliffe 06
Goodliffe 06

[Goodliffe 2006] Pete Goodliffe. Code Craft: The Practice of Writing Excellent Code. San Francisco: No Starch Press (2006).

Anchor
Grand 02
Grand 02

[Grand 2002] Grand, Mark. Patterns in Java, Vol. 1, 2nd ed. New York: Wiley (2002).

Anchor
Grubb 13
Grubb 13

[Grubb 2013] Penny Grubb, and Armstrong A. Takang. Software Maintenance Concepts and Practice, 2nd ed.  River Edge, NJ: World Scientific (2013).       

Anchor
Guillardoy 12
Guillardoy 12

[Guillardoy 2012] Guillardoy, Esteban (Immunity Products). Java 0-day analysis (CVE-2012-4681) (August 28, 2012).

Anchor
Hatton 95
Hatton 95

[Hatton 1995] Hatton, Les. Safer C: Developing Software for High-Integrity and Safety-Critical Systems. New York: McGraw-Hill, 1995 (ISBN 0-07-707640-0).

Anchor
Havelund 10
Havelund 10

[Havelund 2010]  Klaus Havelund, and Al Niessner.  JPL Coding Standard, Version 1.1 (January 25, 2010)  

Anchor
Hawtin 06
Hawtin 06

[Hawtin 2006] Hawtin, Thomas. [drlvm][kernel_classes] ThreadLocal vulnerability. MarkMail (2006).

Anchor
Hirondelle 13
Hirondelle 13

[Hirondelle 2013] Hirondelle Systems. Passwords Never Clear in Text (2013).

Anchor
JLS 11
JLS 11

[JLS 2011] Gosling, James, Bill Joy, Guy Steele, Gilad Bracha, and Alex Buckley. Java Language Specification: Java SE 7 Edition. Oracle America (2011).

Anchor
Jovanovic 06
Jovanovic 06

[Jovanovic 2006] Jovanovic, Nenad, Christopher Kruegel, and Engin Kirda. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). In Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P'06), pp. 258–263, May 21–24, Oakland, CA (2006).

Anchor
JPL 06
JPL 06

[JPL 2006] Arnold, Ken, James Gosling, and David Holmes. The Java™ Programming Language, 4th ed. Reading, MA: Addison-Wesley Professional (2006).

Anchor
JVMSpec 99
JVMSpec 99

[JVMSpec 1999] The Java Virtual Machine Specification. Oracle (1999).

Anchor
JVMSpec 13
JVMSpec 13

[JVMSpec 2013] The Java Virtual Machine Specification Java SE 7 Edition. Oracle (2013).

Anchor
Kabanov 09
Kabanov 09

[Kabanov 2009] Kabanov, Jevgeni. The Ultimate Java Puzzler (2009).

Anchor
Kalinovsky 04
Kalinovsky 04

[Kalinovsky 2004] Kalinovsky, Alex. Covert Java: Techniques for Decompiling, Patching, and Reverse Engineering. Indianapolis: SAMS (2004).

Anchor
Knoernschild 01
Knoernschild 01

[Knoernschild 2001] Knoernschild, Kirk. Java™ Design: Objects, UML, and Process. Boston: Addison-Wesley Professional (2001).

Anchor
Lea 00
Lea 00

[Lea 2000] Lea, Doug. Concurrent Programming in Java: Design Principles and Patterns, 2nd ed. Reading, MA: Addison-Wesley (2000).

Anchor
Lo 05
Lo 05

[Lo 2005] Lo, Chia-Tien Dan, Witawas Srisa-an, and J. Morris Chang. Security Issues in Garbage Collection. STSC Crosstalk, (2005, October).

Anchor
Long 11
Long 11

[Long 2011] Long, Fred, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, and David Svoboda. The CERT Oracle Secure Coding Standard for Java, SEI Series in Software Engineering. Upper Saddle River, NJ: Addison-Wesley (2011).

Anchor
Manion 13
Manion 13

[Manion 2013] Manion, Art. Anatomy of Java Exploits, CERT/CC Blog (January 15, 2013).

Anchor
Martin 96
Martin 96

[Martin 1996] Martin, Robert C. Granularity. The C++ Report 8(10):57–62 (1996).

Anchor
McGraw 99
McGraw 99

[McGraw 1999] McGraw, Gary, and Edward W. Felten. Securing Java: Getting Down to Business with Mobile Code. New York: Wiley (1999).

Anchor
Mettler 10
Mettler 10

[Mettler 2010] Adrian Mettler and David Wagner, Class Properties for Security Review in an Object-Capability Subset of Java, Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS '10). ACM, Article 7, doi: 10.1145/1814217.1814224, 2010.

Anchor
Miller 09
Miller 09

[Miller 2009] Miller, Alex. Java™ Platform Concurrency Gotchas. JavaOne Conference (2009).

Anchor
Netzer 92
Netzer 92

[Netzer 1992] Netzer, Robert H. B., and Barton P. Miller. What Are Race Conditions? Some Issues and Formalization. ACM Letters on Programming Languages and Systems 1(1):74–88 (1992).

Anchor
Oaks 01
Oaks 01

[Oaks 2001] Oaks, Scott. Java Security. Sebastopol, CA: O'Reilly (2001).

Anchor
Oracle 08
Oracle 08

[Oracle 2008] Permissions in the Java™ SE 6 Development Kit (JDK). Oracle (2008).

Anchor
Oracle 10a
Oracle 10a

[Oracle 2010a] Java SE 6 HotSpot™ Virtual Machine Garbage Collection Tuning. Oracle (2010).

Anchor
Oracle 10b
Oracle 10b

[Oracle 2010b] New I/O APIs. Oracle (2010).

Anchor
Oracle 11
Oracle 11

[Oracle 2011] Package javax.servlet.http. Oracle (2011).

Anchor
Oracle 12a
Oracle 12a

[Oracle 2012a] API for Privileged Blocks. Oracle (1993/2012).

Anchor
Oracle 12b
Oracle 12b

[Oracle 2012b] "Reading ASCII Passwords from an InputStream Example," Java Cryptography Architecture (JCA) Reference Guide. Oracle (2012).

Anchor
Oracle 12c
Oracle 12c

[Oracle 2012c] Java Platform Standard Edition 7 Documentation. Oracle (2012).

Anchor
Oracle 13
Oracle 13

[Oracle 2013]  Oracle Security Alert for CVE-2013-0422. Oracle (2013).

Anchor
OWASP 05
OWASP 05

[OWASP 2005] OWASP (Open Web Application Security Project). A Guide to Building Secure Web Applications and Web Services (2005).

Anchor
OWASP 08
OWASP 08

[OWASP 2008] OWASP. Open Web Application Security Project homepage (2008).

Anchor
OWASP 11
OWASP 11

[OWASP 2011] OWASP. Cross-site Scripting (XSS) (2011).

Anchor
OWASP 12
OWASP 12

[OWASP 2012] OWASP. Hashing Java, "Why Add Salt?" (2012).

Anchor
Paar 09
Paar 09

[Paar 2009] Paar, Christof, and Jan Pelzl. Understanding Cryptography, A Textbook for Students and Practitioners (companion website contains online cryptography course that covers hash functions). Berlin: Springer (2009).

Anchor
Pistoia 04
Pistoia 04

[Pistoia 2004] Pistoia, Marco, Nataraj Nagaratnam, Larry Koved, and Anthony Nadalin. Enterprise Java Security: Building Secure J2EE Applications. Boston: Addison-Wesley (2004).

Anchor
Policy 02
Policy 02

[Policy 2002] Default Policy Implementation and Policy File Syntax, Document revision 1.6, Sun Microsystems/Oracle (2002/2010).

Anchor
Reddy 00
Reddy 00

[Reddy 2000] Achut Reddy. Java Coding Style Guide (2000).

Anchor
Rogue 00
Rogue 00

[Rogue 2000] Vermeulen, Allan, Scott W. Ambler, Greg Bumgardner, and Eldon Metz. The Elements of Java Style. New York: Cambridge University Press (2000).

Anchor
SCG 10
SCG 10

[SCG 2010] Secure Coding Guidelines for the Java Programming Language, version 4.0. Oracle (2010). AnchorGoetz 05bGoetz 05b [Goetz 2005b] Goetz, Brian. Java Theory and Practice: Plugging Memory Leaks with Weak References: Weak References Make It Easy to Express Object Lifecycle Relationships. IBM developerWorks (2005). AnchorGoetz 06Goetz 06 [Goetz 2006] Goetz, Brian, Tim Peierls, Joshua Bloch, Joseph Bowbeer, David Holmes, and Doug Lea. Java Concurrency in Practice. Upper Saddle River, NJ: Addison-Wesley Professional (2006). AnchorGoetz 07Goetz 07 [Goetz 2007] Goetz, Brian. Java Theory and Practice: Managing Volatility: Guidelines for Using Volatile Variables. IBM developerWorks (2006). AnchorGoldberg 91Goldberg 91 [Goldberg 1991] Goldberg, David. What Every Computer Scientist Should Know About Floating-Point Arithmetic. Sun Microsystems (1991/2000). AnchorGoodliffe 06Goodliffe 06[Goodliffe 2006] Pete Goodliffe. Code Craft: The Practice of Writing Excellent Code. San Francisco: No Starch Press, 2006 AnchorGong 03Gong 03 [Gong 2003] Gong, Li, Gary Ellison, and Mary Dageforde. Inside Java 2 Platform Security: Architecture, API Design, and Implementation, 2nd ed. Upper Saddle River, NJ: Prentice Hall (2003). AnchorGrand 02Grand 02 [Grand 2002] Grand, Mark. Patterns in Java, Vol. 1, 2nd ed. New York: Wiley (2002). AnchorGreanier 00Greanier 00 [Greanier 2000] Greanier, Todd. Discover the Secrets of the Java Serialization API. Sun Developer Network (2000). AnchorGreen 08Green 08 [Green 2008] Green, Roedy. Canadian Mind Products Java & Internet Glossary (2008/2012). AnchorGrigg 06Grigg 06 [Grigg 2006] Grigg, Jeffery. Reflection on Inner Classes (2006). AnchorGrosso 01Grosso 01 [Grosso 2001] Grosso, William. Java RMI. Sebastopol, CA: O'Reilly (2001). AnchorGrubb 13Grubb 13[Grubb 2013] Penny Grubb, and Armstrong A. Takang. Software Maintenance Concepts and Practice, 2nd ed.  River Edge, NJ: World Scientific (2013).        AnchorGuillardoy 12Guillardoy 12[Guillardoy 2012] Guillardoy, Esteban (Immunity Products). Java 0-day analysis (CVE-2012-4681) (August 28, 2012). AnchorGupta 05Gupta 05 [Gupta 2005] Gupta, Satish Chandra, and Rajeev Palanki. Java Memory Leaks—Catch Me If You Can: Detecting Java Leaks Using IBM Rational Application Developer 6.0. IBM developerWorks (2005). AnchorHaack 06Haack 06 [Haack 2006] Haack, Christian, Erik Poll, Jan Schäfer, and Aleksy Schubert. Immutable Objects in Java. Research report, Radboud University Nijmegen (2006). AnchorHaggar 00Haggar 00 [Haggar 2000] Haggar, Peter. Practical Java™ Programming Language Guide. Reading, MA: Addison-Wesley Professional (2000). AnchorHalloway 00Halloway 00 [Halloway 2000] Halloway, Stuart. Java Developer Connection Tech Tips, March 28, 2000. Sun Microsystems (2000). AnchorHalloway 01Halloway 01 [Halloway 2001] Halloway, Stuart. Java Developer Connection Tech Tips, January 30, 2001. Sun Microsystems (2001). AnchorHarold 97Harold 97 [Harold 1997] Harold, Elliotte Rusty. Java Secrets. Foster City, CA: IDG Books Worldwide (1997). AnchorHarold 99Harold 99 [Harold 1999] Harold, Elliotte Rusty. Java I/O. Sebastopol, CA: O'Reilly (1999). AnchorHarold 06Harold 06 [Harold 2006] Harold, Elliotte Rusty. Java I/O, 2nd ed. Sebastopol, CA: O'Reilley (2006). AnchorHatton 95Hatton 95 [Hatton 1995] Hatton, Les. Safer C: Developing Software for High-Integrity and Safety-Critical Systems. New York: McGraw-Hill, 1995 (ISBN 0-07-707640-0). AnchorHawtin 06Hawtin 06[Hawtin 2006] Hawtin, Thomas. [drlvm][kernel_classes] ThreadLocal vulnerability. MarkMail (2006). AnchorHawtin 08Hawtin 08 [Hawtin 2008] Hawtin, Thomas. Secure Coding Antipatterns: Preventing Attacks and Avoiding Vulnerabilities. Sun Microsystems, Make It Fly, London (2008). AnchorHavelund 10Havelund 10[Havelund 2010]  Klaus Havelund, and Al Niessner.  JPL Coding Standard, Version 1.1 (January 25, 2010)   AnchorHenney 03Henney 03 [Henney 2003] Henney, Kevlin. Null Object, Something for Nothing (2003). AnchorHirondelle 13Hirondelle 13[Hirondelle 2013] Hirondelle Systems. Passwords Never Clear in Text (2013). AnchorHitchens 02Hitchens 02 [Hitchens 2002] Hitchens, Ron. Java™ NIO. Cambridge, MA: O'Reilly (2002). AnchorHornig 07Hornig 07 [Hornig 2007] Hornig, Charles. Advanced Java™ Globalization. JavaOne Conference (2007). AnchorHovemeyer 07Hovemeyer 07 [Hovemeyer 2007] Hovemeyer, David, and William Pugh. Finding More Null Pointer Bugs, But Not Too Many. In Proceedings of the 7th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (PASTE), San Diego (2007). AnchorHunt 98Hunt 98 [Hunt 1998] Hunt, J., and F. Long. Java's Reliability: An Analysis of Software Defects in Java. IEE Proceedings: Software 145(2/3):41–50 (1998). AnchorIEC 60812 2006IEC 60812 2006 [IEC 60812 2006] IEE (International Electrotechnical Commission). Analysis Techniques for System Reliability: Procedure for Failure Mode and Effects Analysis (FMEA), 2nd ed. Geneva: IEC (2006). AnchorIEEE 754 2006IEEE 754 2006 [IEEE 754 2006] IEEE (Institute of Electrical and Electronics Engineers). Standard for Binary Floating-Point Arithmetic (IEEE 754-1985). New York: IEEE (2006). AnchorISO/IEC 9899 2011ISO/IEC 9899 2011[ISO/IEC 9899:2011] ISO/IEC. Programming Languages—C, 3rd ed (ISO/IEC 9899:2011). Geneva, Switzerland: International Organization for Standardization (2011).  AnchorISO/IEC TR 24772 13ISO/IEC TR 24772 13[ISO/IEC TR 24772:2013] ISO/IEC TR 24772:2013. Information Technology—Programming Languages—Guidance to Avoiding Vulnerabilities in Programming Languages through Language Selection and Use.  Geneva, Switzerland: International Organization for Standardization (March 2013). AnchorJ2SE 00J2SE 00 [J2SE 2000] JavaTM 2 SDK, Standard Edition Documentation, J2SE Documentation version 1.3. Sun Microsystems/Oracle (2000/2010). AnchorJarSpec 08JarSpec 08 [JarSpec 2008] J2SE Documentation version 1.5, Jar File Specification. Oracle (2008/2010). AnchorJava 06Java 06 [Java 2006] java: The Java Application Launcher. Oracle (2006/2011). AnchorJava2NS 99Java2NS 99 [Java2NS 1999] Pistoia, Marco, Duane F. Reller, Deepak Gupta, Milind Nagnur, and Ashok K. Ramani. Java 2 Network Security. Upper Saddle River, NJ: Prentice Hall (1999). AnchorJavaGenerics 04JavaGenerics 04 [JavaGenerics 2004] Java Generics. Oracle (2004). AnchorJavaThreads 99JavaThreads 99 [JavaThreads 1999] Oaks, Scott, and Henry Wong. Java Threads, 2nd ed. Sebastopol, CA: O'Reilly (1999). AnchorJavaThreads 04JavaThreads 04 [JavaThreads 2004] Oaks, Scott, and Henry Wong. Java Threads, 3rd ed. Sebastopol, CA: O'Reilly (2004). AnchorJDK7 08JDK7 08 [JDK7 2008] Java™ Platform, Standard Edition 7 Documentation. Oracle (2008). AnchorJLS 05JLS 05 [JLS 2005] Gosling, James, Bill Joy, Guy Steele, and Gilad Bracha. Java Language Specification, 3rd ed. Upper Saddle River, NJ: Prentice Hall (2005). AnchorJLS 11JLS 11 [JLS 2011] Gosling, James, Bill Joy, Guy Steele, Gilad Bracha, and Alex Buckley. Java Language Specification: Java SE 7 Edition. Oracle America (2011). AnchorJMX 06JMX 06 [JMX 2006] Monitoring and Management for the Java Platform. Oracle (2006). AnchorJMXG 06JMXG 06 [JMXG 2006] Java SE Monitoring and Management Guide. Oracle (2006). AnchorJNI 06JNI 06 [JNI 2006] Java Native Interface. Oracle (2006). Anchor Jovanovic 06 Jovanovic 06 [Jovanovic 2006] Jovanovic, Nenad, Christopher Kruegel, and Engin Kirda. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). In Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P'06), pp. 258–263, May 21–24, Oakland, CA (2006). AnchorJPDA 04JPDA 04 [JPDA 2004] Java Platform Debugger Architecture (JPDA). Oracle (2004). AnchorJPL 06JPL 06 [JPL 2006] Arnold, Ken, James Gosling, and David Holmes. The Java™ Programming Language, 4th ed. Reading, MA: Addison-Wesley Professional (2006). AnchorJSR-133 04JSR-133 04 [JSR-133 2004] JSR-133: Java™ Memory Model and Thread Specification (2004). AnchorJVMTI 06JVMTI 06 [JVMTI 2006] Java Virtual Machine Tool Interface (JVM TI). Oracle (2006). AnchorJVMSpec 99JVMSpec 99 [JVMSpec 1999] The Java Virtual Machine Specification. Oracle (1999). AnchorJVMSpec 13JVMSpec 13 [JVMSpec 2013] The Java Virtual Machine Specification Java SE 7 Edition. Oracle (2013). AnchorKabanov 09Kabanov 09 [Kabanov 2009] Kabanov, Jevgeni. The Ultimate Java Puzzler (2009). AnchorKabutz 01Kabutz 01 [Kabutz 2001] Kabutz, Heinz M. The Java Specialists' Newsletter. (2001). AnchorKalinovsky 04Kalinovsky 04 [Kalinovsky 2004] Kalinovsky, Alex. Covert Java: Techniques for Decompiling, Patching, and Reverse Engineering. Indianapolis: SAMS (2004). AnchorKnoernschild 01Knoernschild 01 [Knoernschild 2001] Knoernschild, Kirk. Java™ Design: Objects, UML, and Process. Boston: Addison-Wesley Professional (2001). AnchorLai 08Lai 08 [Lai 2008] Lai, Charlie. Java Insecurity: Accounting for Subtleties That Can Compromise Code. IEEE Software 25(1):13–19 (2008). AnchorLanger 08Langer 08 [Langer 2008] Langer, Angelica, trainer and consultant. http://www.angelikalanger.com/GenericsFAQ/FAQSections/ProgrammingIdioms.html (2008). AnchorLea 00Lea 00 [Lea 2000] Lea, Doug. Concurrent Programming in Java: Design Principles and Patterns, 2nd ed. Reading, MA: Addison-Wesley (2000). AnchorLea 00bLea 00b [Lea 2000b] Lea, Doug, and William Pugh. Correct and Efficient Synchronization of Java™ Technology–based Threads. JavaOne Conference (2000). AnchorLea 08Lea 08 [Lea 2008] Lea, Doug. The JSR-133 Cookbook for Compiler Writers (2008/2011). AnchorLee 09Lee 09 [Lee 2009] Lee, Sangjin, Mahesh Somani, and Debashis Saha, eBay Inc. Robust and Scalable Concurrent Programming: Lessons from the Trenches. JavaOne Conference (2009). AnchorLiang 97Liang 97 [Liang 1997] Liang, Sheng. The Java™ Native Interface: Programmer's Guide and Specification. Reading, MA: Addison-Wesley (1997). AnchorLiang 98Liang 98 [Liang 1998] Liang, Sheng, and Gilad Bracha. Dynamic Class Loading in the Java™ Virtual Machine. In Proceedings of the 13th ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, New York (1998). AnchorLieberman 86Lieberman 86 [Lieberman 1986] Lieberman, Henry. Using Prototypical Objects to Implement Shared Behavior in Object-Oriented Systems. In Proceedings of the Conference on Object-Oriented Programming Systems, Languages and Applications, pp. 214–223, Portland, OR (1986). AnchorLo 05Lo 05 [Lo 2005] Lo, Chia-Tien Dan, Witawas Srisa-an, and J. Morris Chang. Security Issues in Garbage Collection. STSC Crosstalk, (2005, October). AnchorLong 05Long 05 [Long 2005] Long, Fred. Software Vulnerabilities in Java. CMU/SEI-2005-TN-044 (2005). AnchorLong 11Long 11 [Long 2011] Long, Fred, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, and David Svoboda. The CERT Oracle Secure Coding Standard for Java, SEI Series in Software Engineering. Upper Saddle River, NJ: Addison-Wesley (2011) AnchorLow 97Low 97 [Low 1997] Low, Douglas. Protecting Java Code via Obfuscation. Crossroads 4(3):21–23 (1997). AnchorMacgregor 98Macgregor 98 [Macgregor 1998] MacGregor, Robert, Dave Durbin, John Owlett, and Andrew Yeomans. Java Network Security. Upper Saddle River, NJ: Prentice Hall PTR (1998). AnchorMahmoud 02Mahmoud 02 [Mahmoud 2002] Mahmoud, H. Qusay. Compressing and Decompressing Data Using Java APIs. Oracle (2002). AnchorMak 02Mak 02 [Mak 2002] Mak, Ronald. Java Number Cruncher: The Java Programmer's Guide to Numerical Computing. Upper Saddle River, NJ: Prentice Hall (2002). AnchorManion 13Manion 13[Manion 2013] Manion, Art. Anatomy of Java Exploits, CERT/CC Blog (January 15, 2013). AnchorManson 04Manson 04 [Manson 2004] Manson, Jeremy, and Brian Goetz. JSR 133 (Java Memory Model) FAQ (2004). AnchorManson 06Manson 06 [Manson 2006] Manson, Jeremy, and William Pugh. The Java™ Memory Model: The Building Block of Concurrency. JavaOne Conference (2006). AnchorMartin 96Martin 96 [Martin 1996] Martin, Robert C. Granularity. The C++ Report 8(10):57–62 (1996). AnchorMcCluskey 01McCluskey 01 [McCluskey 2001] McCluskey, Glen. Java Developer Connection Tech Tips. (2001, April 10). AnchorMcGraw 98McGraw 98 [McGraw 1998] McGraw, Gary, and Edward W. Felten. Twelve Rules for Developing More Secure Java Code. JavaWorld.com (1998). AnchorMcGraw 99McGraw 99 [McGraw 1999] McGraw, Gary, and Edward W. Felten. Securing Java: Getting Down to Business with Mobile Code. New York: Wiley (1999). AnchorMettler 10Mettler 10 [Mettler 2010] Adrian Mettler and David Wagner, Class Properties for Security Review in an Object-Capability Subset of Java, Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS '10). ACM, Article 7, doi: 10.1145/1814217.1814224, 2010. AnchorMiller 09Miller 09 [Miller 2009] Miller, Alex. Java™ Platform Concurrency Gotchas. JavaOne Conference (2009). AnchorMISRA 04MISRA 04 [MISRA 2004] MISRA Limited. MISRA C: 2004 Guidelines for the Use of the C Language in Critical Systems. Warwickshire, UK: MIRA Limited, October 2004 (ISBN 095241564X). AnchorMITRE CWEMITRE CWE [MITRE CWE] MITRE Corporation. Common Weakness Enumeration (2013). AnchorMocha 07Mocha 07 [Mocha 2007] Mocha, the Java Decompiler (2007). AnchorMonsch 06Monsch 06 [Monsch 2006] Monsch, Jan P. Ruining Security with java.util.Random, Version 1.0 (2006). AnchorMSDN 09MSDN 09 [MSDN 2009] Microsoft. Using SQL Escape Sequences (2009). AnchorMuchow 01Muchow 01 [Muchow 2001] Muchow, John W. MIDlet Packaging with J2ME. ONJava (2001). AnchorMuller 02Muller 02 [Müller 2002] Müller, Andreas, and Geoffrey Simmons. Exception Handling: Common Problems and Best Practice with Java 1.4. Sun Microsystems (2002). AnchorNaftalin 06Naftalin 06 [Naftalin 2006] Naftalin, Maurice, and Philip Wadler. Java Generics and Collections. Sebastopol, CA: O'Reilly (2006). AnchorNaftalin 06bNaftalin 06b [Naftalin 2006b] Naftalin, Maurice, and Philip Wadler. Java™ Generics and Collections: Tools for Productivity. JavaOne Conference (2007). AnchorNetzer 92Netzer 92 [Netzer 1992] Netzer, Robert H. B., and Barton P. Miller. What Are Race Conditions? Some Issues and Formalization. ACM Letters on Programming Languages and Systems 1(1):74–88 (1992). AnchorNeward 04Neward 04 [Neward 2004] Neward, Ted. Effective Enterprise Java. Boston: Addison-Wesley (2004). AnchorNisewanger 07Nisewanger 07 [Nisewanger 2007] Nisewanger, Jeff. Avoiding Antipatterns. JavaOne Conference (2007). AnchorNolan 04Nolan 04 [Nolan 2004] Nolan, Godfrey. Decompiling Java. Berkeley, CA: Apress (2004). AnchorOaks 01Oaks 01 [Oaks 2001] Oaks, Scott. Java Security. Sebastopol, CA: O'Reilly (2001). AnchorOracle 08aOracle 08a [Oracle 2008a] Package javax.servlet.http. Oracle (2008). AnchorOracle 08bOracle 08b [Oracle 2008b] Permissions in the Java™ SE 6 Development Kit (JDK). Oracle (2008). AnchorOracle 10aOracle 10a [Oracle 2010a] Java SE 6 HotSpot™ Virtual Machine Garbage Collection Tuning. Oracle (2010). AnchorOracle 10bOracle 10b [Oracle 2010b] New I/O APIs. Oracle (2010). AnchorOracle 11Oracle 11 [Oracle 2011] Package javax.servlet.http. Oracle (2011). AnchorOracle 12aOracle 12a [Oracle 2012a] API for Privileged Blocks. Oracle (1993/2012). AnchorOracle 12bOracle 12b [Oracle 2012b] "Reading ASCII Passwords from an InputStream Example," Java Cryptography Architecture (JCA) Reference Guide. Oracle (2012). AnchorOracle 12cOracle 12c [Oracle 2012c] Java Platform Standard Edition 7 Documentation. Oracle (2012). AnchorOracle 12dOracle 12d [Oracle 2012d] Permissions in Java SE 7 Development Kit (JDK). Oracle (2012). AnchorOracle 13Oracle 13[Oracle 2013]  Oracle Security Alert for CVE-2013-0422. Oracle (2013). AnchorOWASP 05OWASP 05 [OWASP 2005] OWASP (Open Web Application Security Project). A Guide to Building Secure Web Applications and Web Services (2005). AnchorOWASP 07OWASP 07 [OWASP 2007] OWASP. OWASP Top 10 for JAVA EE (2007). AnchorOWASP 08OWASP 08 [OWASP 2008] OWASP. Open Web Application Security Project homepage (2008). AnchorOWASP 09OWASP 09 [OWASP 2009] OWASP. Session Fixation in Java (2009). AnchorOWASP 11OWASP 11 [OWASP 2011] OWASP. Cross-site Scripting (XSS) (2011). AnchorOWASP 12OWASP 12 [OWASP 2012] OWASP. Hashing Java, "Why Add Salt?" (2012). AnchorPaar 09Paar 09[Paar 2009] Paar, Christof, and Jan Pelzl. Understanding Cryptography, A Textbook for Students and Practitioners (companion website contains online cryptography course that covers hash functions). Berlin: Springer (2009). AnchorPhilion 03Philion 03 [Philion 2003] Philion, Paul. Beware the Dangers of Generic Exceptions. JavaWorld.com (2003). AnchorPhillips 05Phillips 05 [Phillips 2005] Phillips, Addison P. Are We Counting Bytes Yet? Writing Encoding Converters Using Java NIO. Paper presented at the 27th Internationalization and Unicode Conference, April 6–8, Berlin (2005). AnchorPistoia 04Pistoia 04 [Pistoia 2004] Pistoia, Marco, Nataraj Nagaratnam, Larry Koved, and Anthony Nadalin. Enterprise Java Security: Building Secure J2EE Applications. Boston: Addison-Wesley (2004). AnchorPolicy 02Policy 02 [Policy 2002] Default Policy Implementation and Policy File Syntax, Document revision 1.6, Sun Microsystems/Oracle (2002/2010). AnchorPugh 04Pugh 04 [Pugh 2004] Pugh, William. The Java Memory Model (discussions reference). Discussion based on work supported by the National Science Foundation under Grant No. 0098162 (2004). AnchorPugh 08Pugh 08 [Pugh 2008] Pugh, William. Defective Java Code: Turning WTF Code into a Learning Experience. JavaOne Conference (2008). AnchorPugh 09Pugh 09 [Pugh 2009] Pugh, William. Defective Java Code: Mistakes That Matter. JavaOne Conference (2009). AnchorReasoning 03Reasoning 03 [Reasoning 2003] Reasoning Inspection Service Defect Data: Tomcat v 1.4.24 (2003). AnchorReddy 00Reddy 00 [Reddy 2000] Achut Reddy. Java Coding Style Guide (2000). AnchorReflect 06Reflect 06 [Reflect 2006] Reflection. Oracle (2006). AnchorRogue 00Rogue 00 [Rogue 2000] Vermeulen, Allan, Scott W. Ambler, Greg Bumgardner, and Eldon Metz. The Elements of Java Style. New York: Cambridge University Press (2000). AnchorRotem 08Rotem 08 [Rotem 2008] Rotem-Gal-Oz, Arnon. Fallacies of Distributed Computing Explained (white paper) (2008). AnchorRoubtsov 03Roubtsov 03 [Roubtsov 2003] Roubtsov, Vladimir. Breaking Java Exception-Handling Rules Is Easy. JavaWorld.com (2003). AnchorRoubtsov 03bRoubtsov 03b [Roubtsov 2003b] Roubtsov, Vladimir. Into the Mist of Serialization Myths. JavaWorld.com (2003). AnchorSaltzer 74Saltzer 74 [Saltzer 1974] Saltzer, J. H. Protection and the Control of Information Sharing in Multics. Communications of the ACM 17(7):388–402 (1974). AnchorSaltzer 75Saltzer 75 [Saltzer 1975] Saltzer, J. H., and M. D. Schroeder. The Protection of Information in Computer Systems. In Proceedings of the IEEE 63(9):1278–1308. AnchorSCG 07SCG 07 [SCG 2007] Secure Coding Guidelines for the Java Programming Language, version 2.0. Sun Microsystems (2007). AnchorSCG 09SCG 09 [SCG 2009] Secure Coding Guidelines for the Java Programming Language, version 3.0. Oracle (2009). AnchorSCG 10SCG 10 [SCG 2010] Secure Coding Guidelines for the Java Programming Language, version 4.0. Oracle (2010). AnchorSchildt 07Schildt 07 [Schildt 2007] Schildt, Herb. Herb Schildt's Java Programming Cookbook. New York: McGraw-Hill (2007). AnchorSchneier 00Schneier 00 [Schneier 2000] Schneier, Bruce. Secrets and Lies—Digital Security in a Networked World. New York: Wiley (2000). AnchorSchoenefeld 04Schoenefeld 04 [Schoenefeld 2004] Java Vulnerabilities in Opera 7.54 BUGTRAQ Mailing List (bugtraq@securityfocus.com) (2004, November). AnchorSchwarz 04Schwarz 04 [Schwarz 2004] Schwarz, Don. Avoiding Checked Exceptions. ONJava (2004). AnchorSchweisguth 03Schweisguth 03 [Schweisguth 2003] Schweisguth, Dave. Java Tip 134: When Catching Exceptions, Don't Cast Your Net Too Wide. JavaWorld.com (2003). AnchorSDN 08SDN 08 [SDN 2008] Sun Developer Network. Sun Microsystems (1994/2008). AnchorSeacord 05Seacord 05 [Seacord 2005] Seacord, Robert C. Secure Coding in C and C++. Boston: Addison-Wesley (2005). See http://www.cert.org/books/secure-coding for news and errata.

Anchor
Seacord 08
Seacord 08

[Seacord 2008] Seacord, Robert C. The CERT C Secure Coding Standard. Boston: Addison-Wesley (2008).

Anchor
Seacord 12
Seacord 12

[Seacord 2012] Seacord, Robert, Will Dormann, James McCurley, Philip Miller, Robert Stoddard, David Svoboda,   and Jefferson Welch.    Source Code Analysis Laboratory (SCALe) (CMU/SEI-2012-TN-013). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2012. http://www.sei.cmu.edu/library/abstracts/reports/12tn013.cfm.

Anchor
Seacord 13
Seacord 13

[Seacord 2013] Seacord, Robert C. Secure Coding in C and C++, 2nd ed. Boston: Addison-Wesley (2013). See http://www.cert.org/books/secure-coding for news and errata.

...