Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft Jtest 2021.1

...

Allowing serialization or deserialization to bypass the security manager may result in classes being constructed without required security checks.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SER04-J

High

Probable

High

P6

L2

Automated Detection

ToolVersionCheckerDescription
Parasoft Jtest
Include Page
java:
Parasoft_V
java:
Parasoft_V
SECURITY
CERT.
WSC
SER04.SCSER
Implemented
Enforce 'SecurityManager' checks in methods of 'Serializable' classes

Related Guidelines

Secure Coding Guidelines for Java SE, Version 5.0

Guideline 8-4 / SERIAL-4: Duplicate the SecurityManager checks enforced in a class during serialization and deserialization

Android Implementation Details

The java.security package exists on Android for compatibility purposes only, and it should not be used.

Bibliography

[Long 2005]

Section 2.4, "Serialization"

...


...