...
Possible Recommendations
Wiki Markup -Do not serialize keys, certificates or the classes that contain their instances, as deserialization may fail if the same security provider is not present at the remote end. Instead, override the readObject, writeObject methods and encode the data. \[P 202 Oaks 01\] *(unsure if this can be classified as a security error)*- (done)
- Careful while using environment variables - investigate usual conditions (done)
Wiki Markup Use HttpSession carefully, Item 25 \[Daconta 03\]
...
- Thread.interrupted issues
- Java encoding issues (done)
- Prefer composition over inheritance (done)
- Avoid flaws in interfaces (done)
- Naming conventions (will not do)
- Check nonpublic method's params using assertions rather than normal checks (done)
- Create defensive copies of method params (done)
- Prefer interfaces to abstract classes (will not do)
- Prefer interfaces to Reflection (methods) (will not do)
- Failure Atomicity (exceptions should not leave object state inconsistent) (done)
- Avoid ThreadGroup APIs (covereddone)
- Masking, Shadowing, Obscuration (done)
- Issues with ProtectionDomains (if any)
...
Possible Rules
- Do not catch
Error(done)
- Avoid using Reflection to instantiate inner classes
Wiki Markup Use a typesafe enum pattern \[Bloch, Item 20\]- (_enum type_ provided, jdk 1.5 onwards, [Docs|http://java.sun.com/j2se/1.5.0/docs/guide/language/enums.html])
- Some of the anti-patterns described in EXC00-J. Do not suppress or ignore checked exceptions (done)
- Do not hardcode sensitive information (covereddone)
compareTo()contract violations like natural ordering that is not consistent withequals(done)
- Don't catch Throwable without checking for ThreadDeath. (Don't catch ThreadDeath can be consideredwill not do)
Wiki Markup Usage of {{GetResource}} may be unsafe if class is extended \[Findbugs\]
- Do not serialize/deserialize resource handles (done)
- Do not sign encrypted data (
SignedObjectshould be first, followed bySealedObject) (covereddone)
...