Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Add ASVS NIST800-63

Anchor
Abadi 96Abadi 96
[Abadi 1996] Abadi, Martin, and Roger Needham. Prudent Engineering Practice for Cryptographic Protocols. IEEE Transactions on Software Engineering 22(1):6–15 (1996
Apache 13
Apache 13
Anchor
Apache 14
Apache 14

[Apache 2014] Apache Tika: A Content Analysis Toolkit. The Apache Software Foundation (2014).

Anchor
API 06
API 06

[API 2006] Java Platform, Standard Edition 6 API Specification. , Oracle (2006/2011).

Anchor
API 11
API 11
Anchor
API 13
API 13

[API 2011] Java Platform, Standard Edition 7 API Specification. , Oracle (2011).

Anchor
Austin 00Austin 00
[Austin 2000] Austin, Calvin, and Monica Pawlan. Advanced Programming for the Java 2 Platform. Boston: Addison-Wesley Longman (2000
API 14
API 14

[API 2014] Java Platform, Standard Edition 8 API Specification, Oracle (2014).

Anchor
Arnold 06
Arnold 06

[Arnold 2006] Ken Arnold, James Gosling, and David Holmes. The Java Programming Language, 4th ed., Boston: Addison-Wesley (2006).

Anchor
ASVS
ASVS

[ASVS 2019] OWASP Application Security Verification Standard Project (2019).

Anchor
Black 04
Black 04

[Black 2004] Black, Paul E., and Paul J. Tanenbaum. "Partial order." In Dictionary of Algorithms and Data Structures [online]. Paul E. Black, ed., U.S. National Institute of Standards and Technology (2004).

Anchor
Black 06Black 06
[Black 2006] Black, Paul E., and Paul J. Tanenbaum. "Total order." In Dictionary of Algorithms and Data Structures [online]. Paul E. Black, ed., U.S. National Institute of Standards and Technology (2006).
Anchor
Bloch Bloch 01
Bloch 01

[Bloch 2001] Bloch, Joshua. Effective Java: Programming Language Guide. Boston: Addison-Wesley (2001).

Anchor
Bloch 05
Bloch 05

[Bloch 2005] Bloch, Joshua, and Neal Gafter. Java Puzzlers: Traps, Pitfalls, and Corner Cases. Upper Saddle River, NJ: Addison-Wesley (2005).

Anchor
Bloch 0708
Bloch 0708

[Bloch 20072008] Bloch, Joshua. Effective Java™ Reloaded: This Time It's (Not) for Real. JavaOne Conference (2007Java, 2nd ed. Upper Saddle River, NJ: Addison-Wesley (2008).

Anchor
Campione 96
Campione 96Bloch 08Bloch 08

[Bloch 2008] Bloch, Joshua. Effective Java, 2nd ed. Upper Saddle River, NJCampione 1996] Campione, Mary, and Kathy Walrath. The Java Tutorial: Object-Oriented Programming for the Internet. Reading, MA: Addison-Wesley (20081996).

Anchor
Chan 99
Chan 99Bloch 09Bloch 09

[Bloch 2009Chan 1999] Bloch, JoshuaChan, Patrick, Rosanna Lee, and Neal Gafter. Return of the Puzzlers: Schlock and Awe. JavaOne Conference (2009Douglas Kramer. The Java Class Libraries: Supplement for the Java 2 Platform, v1.2, 2nd ed., vol. 1. Upper Saddle River, NJ: Prentice Hall (1999).

Anchor
Cohen 81
Cohen 81Boehm 05Boehm 05

[Boehm 2005Cohen 1981] BoehmCohen, Hans-J. Finalization, Threads, and the Java™ Technology-Based Memory Model. JavaOne Conference (2005D. On Holy Wars and a Plea for Peace, IEEE Computer, 14(10):48–54 (1981).

Anchor
Conventions 09
Conventions 09Campione 96Campione 96

[Campione 1996] Campione, Mary, and Kathy Walrath. The Java Tutorial: Object-Oriented Programming for the Internet. Reading, MA: Addison-Wesley (1996Conventions 2009] Code Conventions for the Java Programming Language. Oracle (2009).

Anchor
Coomes 07
Coomes 07CCITT 88CCITT 88

[CCITT 1988] CCITT (International Telegraph and Telephone Consultative Committee). CCITT Blue Book: Recommendation X.509 and IS0 9594-8: The Directory-Authentication Framework. Geneva: International Telecommunication Union (1988Coomes 2007] Coomes, John, Peter Kessler, and Tony Printezis. Garbage Collection-Friendly Programming. Java SE Garbage Collection Group, Sun Microsystems, JavaOne Conference (2007).

Anchor
Chan 99Chan 99
[Chan 1999] Chan, Patrick, Rosanna Lee, and Douglas Kramer. The Java Class Libraries: Supplement for the Java 2 Platform, v1.2, 2nd ed., vol. 1
Core Java 04
Core Java 04

[Core Java 2004] Horstmann, Cay S., and Gary Cornell. Core Java™ 2, Vol. I: Fundamentals, 7th ed. Upper Saddle River, NJ: Prentice Hall PTR (19992004).

Anchor
Chess Coverity 07Chess
Coverity 07

[Chess 2007] Chess, Brian, and Jacob West. Secure Programming with Static Analysis. Upper Saddle River, NJ: Addison-Wesley Professional Coverity 2007] Coverity Prevent User's Manual (3.3.0). Coverity (2007).

Anchor
Daconta 03
Daconta 03Christudas 05Christudas 05

[Christudas 2005] Christudas, Binildas. Internals of Java Class Loading, ONJava (2005Daconta 2003] Daconta, Michael C., Kevin T. Smith, Donald Avondolio, and W. Clay Richardson. More Java Pitfalls: 50 New Time-Saving Solutions and Workarounds. Indianapolis, IN: Wiley (2003).

Anchor
Davis 08
Davis 08Cohen 81Cohen 81

[Cohen 1981] Cohen, D. On Holy Wars and a Plea for Peace, IEEE Computer, 14(10):48–54 (1981Davis 2008] Davis, Mark, and Ken Whistler (Ed.). Unicode Standard Annex #15: Unicode Normalization Forms (2008).

Anchor
Dennis 1966
Dennis 1966Conventions 09Conventions 09

[Conventions 2009] Code Conventions for the Java Programming Language. Oracle (2009). AnchorCoomes 07Coomes 07 [Coomes 2007] Coomes, John, Peter Kessler, and Tony Printezis. Garbage Collection-Friendly Programming. Java SE Garbage Collection Group, Sun Microsystems, JavaOne Conference (2007). AnchorCore Java 04Core Java 04 [Core Java 2004] Horstmann, Cay S., and Gary Cornell. Core Java™ 2, Vol. I: Fundamentals, 7th ed. Upper Saddle River, NJ: Prentice Hall PTR (2004). AnchorCoverity 07Coverity 07 [Coverity 2007] Coverity Prevent User's Manual (3.3.0). 2007. AnchorCunningham 95Cunningham 95 [Cunningham 1995] Cunningham, Ward. The CHECKS Pattern Language of Information Integrity. In Pattern Languages of Program Design, James O. Coplien and Douglas C. Schmidt, eds. Reading, MA: Addison-Wesley (1995). AnchorDaconta 00Daconta 00 [Daconta 2000] Daconta, Michael C. When Runtime.exec() Won't. JavaWorld.com (2000). AnchorDaconta 03Daconta 03 [Daconta 2003] Daconta, Michael C., Kevin T. Smith, Donald Avondolio, and W. Clay Richardson. More Java Pitfalls. Indianapolis: Wiley (2003). AnchorDarwin 04Darwin 04 [Darwin 2004] Darwin, Ian F. Java Cookbook, 2nd ed. Sebastopol, CA: O’Reilly (2004). AnchorDavis 08Davis 08 [Davis 2008] Davis, Mark, and Ken Whistler. Unicode Standard Annex #15: Unicode Normalization Forms (2008). AnchorDavis 08bDavis 08b [Davis 2008b] Davis, Mark, and Michel Suignard. Unicode Technical Report #36, Unicode Security Considerations (2008). AnchorDennis 1966Dennis 1966 [Dennis 1966] Dennis, Jack B., and Earl C. Van Horn. 1966. Programming Semantics for Multiprogrammed Computations. Communications of the ACM, 9(3):143–155 (1966). doi: 10.1145/365230.365252. AnchorDHS 06DHS 06 [DHS 2006] U.S. Department of Homeland Security. Build Security In (2006/2011). AnchorDormann 08Dormann 08 [Dormann 2008] Dormann, Will. Signed Java Applet Security: Worse Than ActiveX? CERT Vulnerability Analysis Blog (2008). AnchorDoshi 03Doshi 03 [Doshi 2003] Doshi, Gunjan. Best Practices for Exception Handling. ONJava (2003). AnchorDougherty 2009Dougherty 2009 [Dougherty 2009] Dougherty, Chad, Kirk Sayre, Robert C. Seacord, David Svoboda, and Kazuya Togashi. Secure Design Patterns. CMU/SEI-2009-TR-010 (2009). AnchorEclipse 08Eclipse 08 [Eclipse 2008] Eclipse Platform, The Eclipse Foundation (2008). AnchorEncodings 06Encodings 06 [Encodings 2006] Supported Encodings, Oracle (2006/2011). AnchorEnterprise 03Enterprise 03 [Enterprise 2003] Eckstein, Robert. Java Enterprise Best Practices. Sebastopol, CA: O'Reilly (2003). AnchorESA 05ESA 05 [ESA 2005] ESA (European Space Agency). Java Coding Standards. Prepared by ESA Board for Software Standardisation and Control (BSSC) (2005). AnchorFairbanks 07Fairbanks 07 [Fairbanks 2007] Fairbanks, George. Design Fragments. PhD thesis, Carnegie Mellon University (2007). AnchorFindBugs 08FindBugs 08 [FindBugs 2008] FindBugs Bug Descriptions (2008/2011). AnchorFisher 03Fisher 03 [Fisher 2003] Fisher, Maydene, Jon Ellis, and Jonathan Bruce. JDBC API Tutorial and Reference, 3rd ed. Upper Saddle River, NJ: Prentice Hall (2003). AnchorFlanagan 05Flanagan 05 [Flanagan 2005] Flanagan, David. Java in a Nutshell, 5th ed. Sebastopol, CA: O'Reilly Media (2005). AnchorFortify 08Fortify 08 [Fortify 2008] Fortify Software Security Research Group with Gary McGraw. A Taxonomy of Coding Errors That Affect Security (see Java/JSP) (2008/2011). AnchorFox 01Fox 01 [Fox 2001] Fox, Joshua. When Is a Singleton Not a Singleton? JavaWorld (2001). AnchorFT 08FT 08 [FT 2008] Function Table: Class FunctionTable, Field Detail, public static FuncLoader m_functions. Apache XML Project (2008). AnchorGafter 06Gafter 06 [Gafter 2006] Gafter, Neal. Neal Gafter's blog (2006). AnchorGamma 95Gamma 95 [Gamma 1995] Gamma, Erich, Richard Helm, Ralph Johnson, and John M. Vlissides. Design Patterns: Elements of Reusable Object-Oriented Software. Reading, MA: Addison-Wesley (1995). AnchorGarms 01Garms 01 [Garms 2001] Garms, Jess, and Daniel Somerfield. Professional Java Security. Birmingham, UK: Wrox Press (2001). AnchorGNU 13GNU 13 [GNU 2013] GNU Coding Standards, §5.3, "Clean Use of C Constructs." (GNU Coding Standards were written by Richard Stallman and other GNU Project volunteers.) (2013). AnchorGoetz 02Goetz 02 [Goetz 2002] Goetz, Brian. Java Theory and Practice: Safe Construction Techniques: Don't Let the "this" Reference Escape during Construction. IBM developerWorks (2002). AnchorGoetz 04aGoetz 04a [Goetz 2004a] Goetz, Brian. Java Theory and Practice: Garbage Collection and Performance: Hints, Tips, and Myths about Writing Garbage Collection-Friendly Classes. IBM developerWorks (2004). AnchorGoetz 04bGoetz 04b [Goetz 2004b] Goetz, Brian. Java Theory and Practice: The Exceptions Debate: To Check, or Not to Check? IBM developerWorks (2004). AnchorGoetz 04cGoetz 04c [Goetz 2004c] Goetz, Brian. Java Theory and Practice: Going Atomic: The New Atomic Classes Are the Hidden Gems of java.util.concurrent. IBM developerWorks (2004). AnchorGoetz 05aGoetz 05a [Goetz 2005a] Goetz, Brian. Java Theory and Practice: Be a Good (Event) Listener, Guidelines for Writing and Supporting Event Listeners. IBM developerWorks (2005). AnchorGoetz 05bGoetz 05b [Goetz 2005b] Goetz, Brian. Java Theory and Practice: Plugging Memory Leaks with Weak References: Weak References Make It Easy to Express Object Lifecycle Relationships. IBM developerWorks (2005). AnchorGoetz 06aGoetz 06a [Goetz 2006a] Goetz, Brian, Tim Peierls, Joshua Bloch, Joseph Bowbeer, David Holmes, and Doug Lea. Java Concurrency in Practice. Upper Saddle River, NJ: Addison-Wesley Professional (2006). AnchorGoetz 06bGoetz 06b [Goetz 2006b] Goetz, Brian. Java Theory and Practice: Good Housekeeping Practices. IBM developerWorks (2006). AnchorGoetz 07Goetz 07 [Goetz 2007] Goetz, Brian. Java Theory and Practice: Managing Volatility: Guidelines for Using Volatile Variables. IBM developerWorks (2006). AnchorGoldberg 91Goldberg 91 [Goldberg 1991] Goldberg, David. What Every Computer Scientist Should Know About Floating-Point Arithmetic. Sun Microsystems (1991/2000). AnchorGoodliffe 06Goodliffe 06[Goodliffe 2006] Pete Goodliffe. Code Craft: The Practice of Writing Excellent Code. San Francisco: No Starch Press, 2006 AnchorGong 03Gong 03 [Gong 2003] Gong, Li, Gary Ellison, and Mary Dageforde. Inside Java 2 Platform Security: Architecture, API Design, and Implementation, 2nd ed. Upper Saddle River, NJ: Prentice Hall (2003). AnchorGrand 02Grand 02 [Grand 2002] Grand, Mark. Patterns in Java, Vol. 1, 2nd ed. New York: Wiley (2002). AnchorGreanier 00Greanier 00 [Greanier 2000] Greanier, Todd. Discover the Secrets of the Java Serialization API. Sun Developer Network (2000). AnchorGreen 08Green 08 [Green 2008] Green, Roedy. Canadian Mind Products Java & Internet Glossary (2008/2012). AnchorGrigg 06Grigg 06 [Grigg 2006] Grigg, Jeffery. Reflection on Inner Classes (2006). AnchorGrosso 01Grosso 01 [Grosso 2001] Grosso, William. Java RMI. Sebastopol, CA: O'Reilly (2001). AnchorGrubb 13Grubb 13[Grubb 2013] Penny Grubb, and Armstrong A. Takang. Software Maintenance Concepts and Practice, 2nd ed.  River Edge, NJ: World Scientific (2013).        AnchorGuillardoy 12Guillardoy 12[Guillardoy 2012] Guillardoy, Esteban (Immunity Products). Java 0-day analysis (CVE-2012-4681) (August 28, 2012). AnchorGupta 05Gupta 05 [Gupta 2005] Gupta, Satish Chandra, and Rajeev Palanki. Java Memory Leaks—Catch Me If You Can: Detecting Java Leaks Using IBM Rational Application Developer 6.0. IBM developerWorks (2005). AnchorHaack 06Haack 06 [Haack 2006] Haack, Christian, Erik Poll, Jan Schäfer, and Aleksy Schubert. Immutable Objects in Java. Research report, Radboud University Nijmegen (2006). AnchorHaggar 00Haggar 00 [Haggar 2000] Haggar, Peter. Practical Java™ Programming Language Guide. Reading, MA: Addison-Wesley Professional (2000). AnchorHalloway 00Halloway 00 [Halloway 2000] Halloway, Stuart. Java Developer Connection Tech Tips, March 28, 2000. Sun Microsystems (2000). AnchorHalloway 01Halloway 01 [Halloway 2001] Halloway, Stuart. Java Developer Connection Tech Tips, January 30, 2001. Sun Microsystems (2001). AnchorHarold 97Harold 97 [Harold 1997] Harold, Elliotte Rusty. Java Secrets. Foster City, CA: IDG Books Worldwide (1997). AnchorHarold 99Harold 99 [Harold 1999] Harold, Elliotte Rusty. Java I/O. Sebastopol, CA: O'Reilly (1999). AnchorHarold 06Harold 06 [Harold 2006] Harold, Elliotte Rusty. Java I/O, 2nd ed. Sebastopol, CA: O'Reilley (2006). AnchorHatton 95Hatton 95 [Hatton 1995] Hatton, Les. Safer C: Developing Software for High-Integrity and Safety-Critical Systems. New York: McGraw-Hill, 1995 (ISBN 0-07-707640-0). AnchorHawtin 06Hawtin 06[Hawtin 2006] Hawtin, Thomas. [drlvm][kernel_classes] ThreadLocal vulnerability. MarkMail (2006). AnchorHawtin 08Hawtin 08 [Hawtin 2008] Hawtin, Thomas. Secure Coding Antipatterns: Preventing Attacks and Avoiding Vulnerabilities. Sun Microsystems, Make It Fly, London (2008). AnchorHavelund 10Havelund 10[Havelund 2010]  Klaus Havelund, and Al Niessner.  JPL Coding Standard, Version 1.1 (January 25, 2010)   AnchorHenney 03Henney 03 [Henney 2003] Henney, Kevlin. Null Object, Something for Nothing (2003). AnchorHirondelle 13Hirondelle 13[Hirondelle 2013] Hirondelle Systems. Passwords Never Clear in Text (2013). AnchorHitchens 02Hitchens 02 [Hitchens 2002] Hitchens, Ron. Java™ NIO. Cambridge, MA: O'Reilly (2002). AnchorHornig 07Hornig 07 [Hornig 2007] Hornig, Charles. Advanced Java™ Globalization. JavaOne Conference (2007). AnchorHovemeyer 07Hovemeyer 07 [Hovemeyer 2007] Hovemeyer, David, and William Pugh. Finding More Null Pointer Bugs, But Not Too Many. In Proceedings of the 7th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (PASTE), San Diego (2007). AnchorHunt 98Hunt 98 [Hunt 1998] Hunt, J., and F. Long. Java's Reliability: An Analysis of Software Defects in Java. IEE Proceedings: Software 145(2/3):41–50 (1998). AnchorIEC 60812 2006IEC 60812 2006 [IEC 60812 2006] IEE (International Electrotechnical Commission). Analysis Techniques for System Reliability: Procedure for Failure Mode and Effects Analysis (FMEA), 2nd ed. Geneva: IEC (2006). AnchorIEEE 754 2006IEEE 754 2006 [IEEE 754 2006] IEEE (Institute of Electrical and Electronics Engineers). Standard for Binary Floating-Point Arithmetic (IEEE 754-1985). New York: IEEE (2006). AnchorISO/IEC 9899 2011ISO/IEC 9899 2011[ISO/IEC 9899:2011] ISO/IEC. Programming Languages—C, 3rd ed (ISO/IEC 9899:2011). Geneva, Switzerland: International Organization for Standardization (2011).  AnchorISO/IEC TR 24772 13ISO/IEC TR 24772 13[ISO/IEC TR 24772:2013] ISO/IEC TR 24772:2013. Information Technology—Programming Languages—Guidance to Avoiding Vulnerabilities in Programming Languages through Language Selection and Use.  Geneva, Switzerland: International Organization for Standardization (March 2013). AnchorJ2SE 00J2SE 00 [J2SE 2000] JavaTM 2 SDK, Standard Edition Documentation, J2SE Documentation version 1.3. Sun Microsystems/Oracle (2000/2010). AnchorJarSpec 08JarSpec 08 [JarSpec 2008] J2SE Documentation version 1.5, Jar File Specification. Oracle (2008/2010). AnchorJava 06Java 06 [Java 2006] java: The Java Application Launcher. Oracle (2006/2011). AnchorJava2NS 99Java2NS 99 [Java2NS 1999] Pistoia, Marco, Duane F. Reller, Deepak Gupta, Milind Nagnur, and Ashok K. Ramani. Java 2 Network Security. Upper Saddle River, NJ: Prentice Hall (1999). AnchorJavaGenerics 04JavaGenerics 04 [JavaGenerics 2004] Java Generics. Oracle (2004). AnchorJavaThreads 99JavaThreads 99 [JavaThreads 1999] Oaks, Scott, and Henry Wong. Java Threads, 2nd ed. Sebastopol, CA: O'Reilly (1999). AnchorJavaThreads 04JavaThreads 04 [JavaThreads 2004] Oaks, Scott, and Henry Wong. Java Threads, 3rd ed. Sebastopol, CA: O'Reilly (2004). AnchorJDK7 08JDK7 08 [JDK7 2008] Java™ Platform, Standard Edition 7 Documentation. Oracle (2008). AnchorJLS 05JLS 05 [JLS 2005] Gosling, James, Bill Joy, Guy Steele, and Gilad Bracha. Java Language Specification, 3rd ed. Upper Saddle River, NJ: Prentice Hall (2005). AnchorJLS 11JLS 11 [JLS 2011] Gosling, James, Bill Joy, Guy Steele, Gilad Bracha, and Alex Buckley. Java Language Specification: Java SE 7 Edition. Oracle America (2011). AnchorJMX 06JMX 06 [JMX 2006] Monitoring and Management for the Java Platform. Oracle (2006). AnchorJMXG 06JMXG 06 [JMXG 2006] Java SE Monitoring and Management Guide. Oracle (2006). AnchorJNI 06JNI 06 [JNI 2006] Java Native Interface. Oracle (2006). Anchor Jovanovic 06 Jovanovic 06 [Jovanovic 2006] Jovanovic, Nenad, Christopher Kruegel, and Engin Kirda. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). In Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P'06), pp. 258–263, May 21–24, Oakland, CA (2006). AnchorJPDA 04JPDA 04 [JPDA 2004] Java Platform Debugger Architecture (JPDA). Oracle (2004). AnchorJPL 06JPL 06 [JPL 2006] Arnold, Ken, James Gosling, and David Holmes. The Java™ Programming Language, 4th ed. Reading, MA: Addison-Wesley Professional (2006). AnchorJSR-133 04JSR-133 04 [JSR-133 2004] JSR-133: Java™ Memory Model and Thread Specification (2004). AnchorJVMTI 06JVMTI 06 [JVMTI 2006] Java Virtual Machine Tool Interface (JVM TI). Oracle (2006). AnchorJVMSpec 99JVMSpec 99 [JVMSpec 1999] The Java Virtual Machine Specification. Oracle (1999). AnchorJVMSpec 13JVMSpec 13 [JVMSpec 2013] The Java Virtual Machine Specification Java SE 7 Edition. Oracle (2013). AnchorKabanov 09Kabanov 09 [Kabanov 2009] Kabanov, Jevgeni. The Ultimate Java Puzzler (2009). AnchorKabutz 01Kabutz 01 [Kabutz 2001] Kabutz, Heinz M. The Java Specialists' Newsletter. (2001). AnchorKalinovsky 04Kalinovsky 04 [Kalinovsky 2004] Kalinovsky, Alex. Covert Java: Techniques for Decompiling, Patching, and Reverse Engineering. Indianapolis: SAMS (2004). AnchorKnoernschild 01Knoernschild 01 [Knoernschild 2001] Knoernschild, Kirk. Java™ Design: Objects, UML, and Process. Boston: Addison-Wesley Professional (2001). AnchorLai 08Lai 08 [Lai 2008] Lai, Charlie. Java Insecurity: Accounting for Subtleties That Can Compromise Code. IEEE Software 25(1):13–19 (2008). AnchorLanger 08Langer 08 [Langer 2008] Langer, Angelica, trainer and consultant. http://www.angelikalanger.com/GenericsFAQ/FAQSections/ProgrammingIdioms.html (2008). AnchorLea 00Lea 00 [Lea 2000] Lea, Doug. Concurrent Programming in Java: Design Principles and Patterns, 2nd ed. Reading, MA: Addison-Wesley (2000). AnchorLea 00bLea 00b [Lea 2000b] Lea, Doug, and William Pugh. Correct and Efficient Synchronization of Java™ Technology–based Threads. JavaOne Conference (2000). AnchorLea 08Lea 08 [Lea 2008] Lea, Doug. The JSR-133 Cookbook for Compiler Writers (2008/2011). AnchorLee 09Lee 09 [Lee 2009] Lee, Sangjin, Mahesh Somani, and Debashis Saha, eBay Inc. Robust and Scalable Concurrent Programming: Lessons from the Trenches. JavaOne Conference (2009). AnchorLiang 97Liang 97 [Liang 1997] Liang, Sheng. The Java™ Native Interface: Programmer's Guide and Specification. Reading, MA: Addison-Wesley (1997). AnchorLiang 98Liang 98 [Liang 1998] Liang, Sheng, and Gilad Bracha. Dynamic Class Loading in the Java™ Virtual Machine. In Proceedings of the 13th ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, New York (1998). AnchorLieberman 86Lieberman 86 [Lieberman 1986] Lieberman, Henry. Using Prototypical Objects to Implement Shared Behavior in Object-Oriented Systems. In Proceedings of the Conference on Object-Oriented Programming Systems, Languages and Applications, pp. 214–223, Portland, OR (1986). AnchorLo 05Lo 05 [Lo 2005] Lo, Chia-Tien Dan, Witawas Srisa-an, and J. Morris Chang. Security Issues in Garbage Collection. STSC Crosstalk, (2005, October). AnchorLong 05Long 05 [Long 2005] Long, Fred. Software Vulnerabilities in Java. CMU/SEI-2005-TN-044 (2005). AnchorLong 11Long 11 [Long 2011] Long, Fred, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, and David Svoboda. The CERT Oracle Secure Coding Standard for Java, SEI Series in Software Engineering. Upper Saddle River, NJ: Addison-Wesley (2011) AnchorLow 97Low 97 [Low 1997] Low, Douglas. Protecting Java Code via Obfuscation. Crossroads 4(3):21–23 (1997). AnchorMacgregor 98Macgregor 98 [Macgregor 1998] MacGregor, Robert, Dave Durbin, John Owlett, and Andrew Yeomans. Java Network Security. Upper Saddle River, NJ: Prentice Hall PTR (1998). AnchorMahmoud 02Mahmoud 02 [Mahmoud 2002] Mahmoud, H. Qusay. Compressing and Decompressing Data Using Java APIs. Oracle (2002). AnchorMak 02Mak 02 [Mak 2002] Mak, Ronald. Java Number Cruncher: The Java Programmer's Guide to Numerical Computing. Upper Saddle River, NJ: Prentice Hall (2002). AnchorManion 13Manion 13[Manion 2013] Manion, Art. Anatomy of Java Exploits, CERT/CC Blog (January 15, 2013). AnchorManson 04Manson 04 [Manson 2004] Manson, Jeremy, and Brian Goetz. JSR 133 (Java Memory Model) FAQ (2004). AnchorManson 06Manson 06 [Manson 2006] Manson, Jeremy, and William Pugh. The Java™ Memory Model: The Building Block of Concurrency. JavaOne Conference (2006). AnchorMartin 96Martin 96 [Martin 1996] Martin, Robert C. Granularity. The C++ Report 8(10):57–62 (1996). AnchorMcCluskey 01McCluskey 01 [McCluskey 2001] McCluskey, Glen. Java Developer Connection Tech Tips. (2001, April 10). AnchorMcGraw 98McGraw 98 [McGraw 1998] McGraw, Gary, and Edward W. Felten. Twelve Rules for Developing More Secure Java Code. JavaWorld.com (1998). AnchorMcGraw 99McGraw 99 [McGraw 1999] McGraw, Gary, and Edward W. Felten. Securing Java: Getting Down to Business with Mobile Code. New York: Wiley (1999). AnchorMettler 10Mettler 10 [Mettler 2010] Adrian Mettler and David Wagner, Class Properties for Security Review in an Object-Capability Subset of Java, Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS '10). ACM, Article 7, doi: 10.1145/1814217.1814224, 2010. AnchorMiller 09Miller 09 [Miller 2009] Miller, Alex. Java™ Platform Concurrency Gotchas. JavaOne Conference (2009). AnchorMISRA 04MISRA 04 [MISRA 2004] MISRA Limited. MISRA C: 2004 Guidelines for the Use of the C Language in Critical Systems. Warwickshire, UK: MIRA Limited, October 2004 (ISBN 095241564X). AnchorMITRE CVEMITRE CVE [MITRE CVE] MITRE Corporation. Common Vulnerabilities and Exposures (2008/2013). AnchorMITRE CWEMITRE CWE [MITRE CWE] MITRE Corporation. Common Weakness Enumeration (2013). AnchorMocha 07Mocha 07 [Mocha 2007] Mocha, the Java Decompiler (2007). AnchorMonsch 06Monsch 06 [Monsch 2006] Monsch, Jan P. Ruining Security with java.util.Random, Version 1.0 (2006). AnchorMSDN 09MSDN 09 [MSDN 2009] Microsoft. Using SQL Escape Sequences (2009). AnchorMuchow 01Muchow 01 [Muchow 2001] Muchow, John W. MIDlet Packaging with J2ME. ONJava (2001). AnchorMuller 02Muller 02 [Müller 2002] Müller, Andreas, and Geoffrey Simmons. Exception Handling: Common Problems and Best Practice with Java 1.4. Sun Microsystems (2002). AnchorNaftalin 06Naftalin 06 [Naftalin 2006] Naftalin, Maurice, and Philip Wadler. Java Generics and Collections. Sebastopol, CA: O'Reilly (2006). AnchorNaftalin 06bNaftalin 06b [Naftalin 2006b] Naftalin, Maurice, and Philip Wadler. Java™ Generics and Collections: Tools for Productivity. JavaOne Conference (2007). AnchorNetzer 92Netzer 92 [Netzer 1992] Netzer, Robert H. B., and Barton P. Miller. What Are Race Conditions? Some Issues and Formalization. ACM Letters on Programming Languages and Systems 1(1):74–88 (1992). AnchorNeward 04Neward 04 [Neward 2004] Neward, Ted. Effective Enterprise Java. Boston: Addison-Wesley (2004). AnchorNisewanger 07Nisewanger 07 [Nisewanger 2007] Nisewanger, Jeff. Avoiding Antipatterns. JavaOne Conference (2007). AnchorNolan 04Nolan 04 [Nolan 2004] Nolan, Godfrey. Decompiling Java. Berkeley, CA: Apress (2004). AnchorOaks 01Oaks 01 [Oaks 2001] Oaks, Scott. Java Security. Sebastopol, CA: O'Reilly (2001). AnchorOracle 08aOracle 08a [Oracle 2008a] Package javax.servlet.http. Oracle (2008). AnchorOracle 08bOracle 08b [Oracle 2008b] Permissions in the Java™ SE 6 Development Kit (JDK). Oracle (2008). AnchorOracle 10aOracle 10a [Oracle 2010a] Java SE 6 HotSpot™ Virtual Machine Garbage Collection Tuning. Oracle (2010). AnchorOracle 10bOracle 10b [Oracle 2010b] New I/O APIs. Oracle (2010). AnchorOracle 11Oracle 11 [Oracle 2011] Package javax.servlet.http. Oracle (2011). AnchorOracle 12aOracle 12a [Oracle 2012a] API for Privileged Blocks. Oracle (1993/2012). AnchorOracle 12bOracle 12b [Oracle 2012b] "Reading ASCII Passwords from an InputStream Example," Java Cryptography Architecture (JCA) Reference Guide. Oracle (2012). AnchorOracle 12cOracle 12c [Oracle 2012c] Java Platform Standard Edition 7 Documentation. Oracle (2012). AnchorOracle 12dOracle 12d [Oracle 2012d] Permissions in Java SE 7 Development Kit (JDK). Oracle (2012). AnchorOracle 13Oracle 13[Oracle 2013]  Oracle Security Alert for CVE-2013-0422. Oracle (2013). AnchorOWASP 05OWASP 05 [OWASP 2005] OWASP (Open Web Application Security Project). A Guide to Building Secure Web Applications and Web Services (2005). AnchorOWASP 07OWASP 07 [OWASP 2007] OWASP. OWASP Top 10 for JAVA EE (2007). AnchorOWASP 08OWASP 08 [OWASP 2008] OWASP. Open Web Application Security Project homepage (2008). AnchorOWASP 09OWASP 09 [OWASP 2009] OWASP. Session Fixation in Java (2009). AnchorOWASP 11OWASP 11 [OWASP 2011] OWASP. Cross-site Scripting (XSS) (2011). AnchorOWASP 12OWASP 12 [OWASP 2012] OWASP. Hashing Java, "Why Add Salt?" (2012). AnchorPaar 09Paar 09[Paar 2009] Paar, Christof, and Jan Pelzl. Understanding Cryptography, A Textbook for Students and Practitioners (companion website contains online cryptography course that covers hash functions). Berlin: Springer (2009). AnchorPhilion 03Philion 03 [Philion 2003] Philion, Paul. Beware the Dangers of Generic Exceptions. JavaWorld.com (2003). AnchorPhillips 05Phillips 05 [Phillips 2005] Phillips, Addison P. Are We Counting Bytes Yet? Writing Encoding Converters Using Java NIO. Paper presented at the 27th Internationalization and Unicode Conference, April 6–8, Berlin (2005). AnchorPistoia 04Pistoia 04 [Pistoia 2004] Pistoia, Marco, Nataraj Nagaratnam, Larry Koved, and Anthony Nadalin. Enterprise Java Security: Building Secure J2EE Applications. Boston: Addison-Wesley (2004). AnchorPolicy 02Policy 02 [Policy 2002] Default Policy Implementation and Policy File Syntax, Document revision 1.6, Sun Microsystems/Oracle (2002/2010). AnchorPugh 04Pugh 04 [Pugh 2004] Pugh, William. The Java Memory Model (discussions reference). Discussion based on work supported by the National Science Foundation under Grant No. 0098162 (2004). AnchorPugh 08Pugh 08 [Pugh 2008] Pugh, William. Defective Java Code: Turning WTF Code into a Learning Experience. JavaOne Conference (2008). AnchorPugh 09Pugh 09 [Pugh 2009] Pugh, William. Defective Java Code: Mistakes That Matter. JavaOne Conference (2009). AnchorReasoning 03Reasoning 03 [Reasoning 2003] Reasoning Inspection Service Defect Data: Tomcat v 1.4.24 (2003). AnchorReddy 00Reddy 00 [Reddy 2000] Achut Reddy. Java Coding Style Guide (2000). AnchorReflect 06Reflect 06 [Reflect 2006] Reflection. Oracle (2006). AnchorRogue 00Rogue 00 [Rogue 2000] Vermeulen, Allan, Scott W. Ambler, Greg Bumgardner, and Eldon Metz. The Elements of Java Style. New York: Cambridge University Press (2000). AnchorRotem 08Rotem 08 [Rotem 2008] Rotem-Gal-Oz, Arnon. Fallacies of Distributed Computing Explained (white paper) (2008). AnchorRoubtsov 03Roubtsov 03 [Roubtsov 2003] Roubtsov, Vladimir. Breaking Java Exception-Handling Rules Is Easy. JavaWorld.com (2003). AnchorRoubtsov 03bRoubtsov 03b [Roubtsov 2003b] Roubtsov, Vladimir. Into the Mist of Serialization Myths. JavaWorld.com (2003). AnchorSaltzer 74Saltzer 74 [Saltzer 1974] Saltzer, J. H. Protection and the Control of Information Sharing in Multics. Communications of the ACM 17(7):388–402 (1974). AnchorSaltzer 75Saltzer 75 [Saltzer 1975] Saltzer, J. H., and M. D. Schroeder. The Protection of Information in Computer Systems. In Proceedings of the IEEE 63(9):1278–1308. AnchorSCG 07SCG 07 [SCG 2007] Secure Coding Guidelines for the Java Programming Language, version 2.0. Sun Microsystems (2007). AnchorSCG 09SCG 09 [SCG 2009] Secure Coding Guidelines for the Java Programming Language, version 3.0. Oracle (2009). AnchorSCG 10SCG 10 [SCG 2010] Secure Coding Guidelines for the Java Programming Language, version 4.0. Oracle (2010). AnchorSchildt 07Schildt 07 [Schildt 2007] Schildt, Herb. Herb Schildt's Java Programming Cookbook. New York: McGraw-Hill (2007). AnchorSchneier 00Schneier 00 [Schneier 2000] Schneier, Bruce. Secrets and Lies—Digital Security in a Networked World. New York: Wiley (2000). AnchorSchoenefeld 04Schoenefeld 04 [Schoenefeld 2004] Java Vulnerabilities in Opera 7.54 BUGTRAQ Mailing List (bugtraq@securityfocus.com) (2004, November). AnchorSchwarz 04Schwarz 04 [Schwarz 2004] Schwarz, Don. Avoiding Checked Exceptions. ONJava (2004). AnchorSchweisguth 03Schweisguth 03 [Schweisguth 2003] Schweisguth, Dave. Java Tip 134: When Catching Exceptions, Don't Cast Your Net Too Wide. JavaWorld.com (2003). AnchorSDN 08SDN 08 [SDN 2008] Sun Developer Network. Sun Microsystems (1994/2008). AnchorSeacord 05Seacord 05 [Seacord 2005] Seacord, Robert C. Secure Coding in C and C++. Boston: Addison-Wesley (2005). See http://www.cert.org/books/secure-coding for news and errata. AnchorSeacord 08Seacord 08 [Seacord 2008] Seacord, Robert C. The CERT C Secure Coding Standard. Boston: Addison-Wesley (2008). AnchorSeacord 12Seacord 12

[Seacord 2012] Seacord, Robert, Will Dormann, James McCurley, Philip Miller, Robert Stoddard, David Svoboda,  and Jefferson Welch.   Source Code Analysis Laboratory (SCALe) (CMU/SEI-2012-TN-013). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2012. http://www.sei.cmu.edu/library/abstracts/reports/12tn013.cfm

Dennis 1966] Dennis, Jack B., and Earl C. Van Horn. 1966. Programming Semantics for Multiprogrammed Computations. Communications of the ACM, 9(3):143–155 (1966). doi: 10.1145/365230.365252.

Anchor
Dougherty 2009
Dougherty 2009

[Dougherty 2009] Dougherty, Chad, Kirk Sayre, Robert C. Seacord, David Svoboda, and Kazuya Togashi. Secure Design Patterns. CMU/SEI-2009-TR-010 (2009).

Anchor
ESA 05
ESA 05

[ESA 2005] ESA (European Space Agency). Java Coding Standards. Prepared by ESA Board for Software Standardisation and Control (BSSC) (2005).

Anchor
FindBugs 08
FindBugs 08

[FindBugs 2008] FindBugs Bug Descriptions (2008/2011).

Anchor
Flanagan 05
Flanagan 05

[Flanagan 2005] Flanagan, David. Java in a Nutshell, 5th ed. Sebastopol, CA: O'Reilly Media (2005).

Anchor
Fortify 08
Fortify 08
Anchor
Fortify 14
Fortify 14

[Fortify 2014] Fortify Software Security Research Group with Gary McGraw. A Taxonomy of Coding Errors That Affect Security (see Java/JSP) (2008/2014).

Anchor
GNU 13
GNU 13

[GNU 2013] GNU Coding Standards, §5.3, "Clean Use of C Constructs." Richard Stallman and other GNU Project volunteers (2013).

Anchor
Goetz 04
Goetz 04

[Goetz 2004] Goetz, Brian. Java Theory and Practice: Garbage Collection and Performance: Hints, Tips, and Myths about Writing Garbage Collection-Friendly Classes. IBM developerWorks (2004).

Anchor
Goetz 06
Goetz 06

[Goetz 2006] Goetz, Brian, Tim Peierls, Joshua Bloch, Joseph Bowbeer, David Holmes, and Doug Lea. Java Concurrency in Practice. Boston: Addison-Wesley Professional (2006).

Anchor
Goetz 07
Goetz 07

[Goetz 2007] Goetz, Brian. Java Theory and Practice: Managing Volatility: Guidelines for Using Volatile Variables. IBM developerWorks (2007).

Anchor
Gong 03
Gong 03

[Gong 2003] Gong, Li, Gary Ellison, and Mary Dageforde. Inside Java 2 Platform Security: Architecture, API Design, and Implementation, 2nd ed. Boston: Addison-Wesley (2003).

Anchor
Goodliffe 06
Goodliffe 06
Anchor
Goodliffe 07
Goodliffe 07

[Goodliffe 2007] Pete Goodliffe.
Code Craft: The Practice of Writing Excellent Code. San Francisco: No Starch Press (2007).

Anchor
Grand 02
Grand 02

[Grand 2002] Grand, Mark. Patterns in Java, Vol. 1: A Catalog of Reusable Design Patterns Illustrated with UML, 2nd ed. Indianapolis, IN: Wiley (2002).

Anchor
Grubb 03
Grubb 03

[Grubb 2003] Penny Grubb, and Armstrong A. Takang. Software Maintenance Concepts and Practice, 2nd ed.  River Edge, NJ: World Scientific (2003).       

Anchor
Guillardoy 12
Guillardoy 12

[Guillardoy 2012] Guillardoy, Esteban. Java 0-day Analysis (CVE-2012-4681) (2012).

Anchor
Hatton 95
Hatton 95

[Hatton 1995] Hatton, Les. Safer C: Developing Software for High-Integrity and Safety-Critical Systems. New York: McGraw-Hill (1995).

Anchor
Havelund 10
Havelund 10
Anchor
Havelund 09
Havelund 09

[Havelund 2009]  Havelund, Klaus, and Al Niessner.  JPL Coding Standard, Version 1.1 (2009)  

Anchor
Hawtin 06
Hawtin 06

[Hawtin 2006] Hawtin, Thomas. [drlvm][kernel_classes] ThreadLocal Vulnerability. MarkMail (2006).

Anchor
Hirondelle 13
Hirondelle 13

[Hirondelle 2013] Hirondelle Systems. Passwords Never Clear in Text (2013).

Anchor
ISO/IEC 01
ISO/IEC 01

[ISO/IEC 9126-1:2001] Software Engineering—Product Quality—Part 1, Quality Model (ISO/IEC 9126-1:2001). Geneva, Switzerland: International Organization for Standardization (2001).

Anchor
ISO/IEC 10
ISO/IEC 10

[ISO/IEC 24765:2010] Systems and Software Engineering—Vocabulary (ISO/IEC 24765:2010). Geneva, Switzerland: International Organization for Standardization (2010).

Anchor
JLS 13
JLS 13

[JLS 2013] Gosling, James, Bill Joy, Guy Steele, Gilad Bracha, and Alex Buckley. Java Language Specification: Java SE 7 Edition. Oracle America (2013).

Anchor
Jovanovic 06
Jovanovic 06

[Jovanovic 2006] Jovanovic, Nenad, Christopher Kruegel, and Engin Kirda. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). In Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P'06), pp. 258–263, May 21–24, Oakland, CA (2006).

Anchor
JPL 06
JPL 06

[JPL 2006] Arnold, Ken, James Gosling, and David Holmes. The Java™ Programming Language, 4th ed. Reading, MA: Addison-Wesley Professional (2006).

Anchor
JVMSpec 99
JVMSpec 99

[JVMSpec 1999] The Java Virtual Machine Specification. Sun Microsystems (1999).

Anchor
JVMSpec 13
JVMSpec 13

[JVMSpec 2013] The Java Virtual Machine Specification: Java SE 7 Edition. Oracle America (2013).

Anchor
Kabanov 09
Kabanov 09

[Kabanov 2009] Kabanov, Jevgeni. The Ultimate Java Puzzler (2009).

Anchor
Kalinovsky 04
Kalinovsky 04

[Kalinovsky 2004] Kalinovsky, Alex. Covert Java: Techniques for Decompiling, Patching, and Reverse Engineering. Indianapolis: SAMS (2004).

Anchor
Knoernschild 02
Knoernschild 02

[Knoernschild 2002] Knoernschild, Kirk. Java™ Design: Objects, UML, and Process. Boston: Addison-Wesley Professional (2002).

Anchor
Lea 00
Lea 00

[Lea 2000] Lea, Doug. Concurrent Programming in Java: Design Principles and Patterns, 2nd ed. Boston: Addison-Wesley (2000).

Anchor
Lo 05
Lo 05

[Lo 2005] Lo, Chia-Tien Dan, Witawas Srisa-an, and J. Morris Chang. Security Issues in Garbage Collection. STSC Crosstalk, (2005, October).

Anchor
Long 11
Long 11
Anchor
Long 12
Long 12

[Long 2012] Long, Fred, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, and David Svoboda. The CERT Oracle Secure Coding Standard for Java, SEI Series in Software Engineering. Boston: Addison-Wesley (2012).

Anchor
Manion 13
Manion 13

[Manion 2013] Manion, Art. Anatomy of Java Exploits, CERT/CC Blog (January 15, 2013).

Anchor
Martin 96
Martin 96

[Martin 1996] Martin, Robert C. Granularity. The C++ Report 8(10):57–62 (1996).

Anchor
McGraw 99
McGraw 99

[McGraw 1999] McGraw, Gary, and Edward W. Felten. Securing Java: Getting Down to Business with Mobile Code, 2nd ed. New York: Wiley (1999).

Anchor
Mettler 10
Mettler 10

[Mettler 2010] Adrian Mettler and David Wagner, Class Properties for Security Review in an Object-Capability Subset of Java, Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS '10). ACM, Article 7, DOI: 10.1145/1814217.1814224, 2010.

Anchor
Miller 09
Miller 09

[Miller 2009] Miller, Alex. Java™ Platform Concurrency Gotchas. JavaOne Conference (2009).

Anchor
Netzer 92
Netzer 92

[Netzer 1992] Netzer, Robert H. B., and Barton P. Miller. What Are Race Conditions? Some Issues and Formalization. ACM Letters on Programming Languages and Systems 1(1):74–88 (1992).

Anchor
NIST 800-63
NIST 800-63

[NIST 2017] NIST Special Publication 800-63 (2017).

Anchor
Oaks 01
Oaks 01

[Oaks 2001] Oaks, Scott. Java Security. Sebastopol, CA: O'Reilly (2001).

Anchor
Oracle 08
Oracle 08

[Oracle 2008] Permissions in the Java™ SE 6 Development Kit (JDK). Oracle (2008).

Anchor
Oracle 10a
Oracle 10a

[Oracle 2010a] Java SE 6 HotSpot™ Virtual Machine Garbage Collection Tuning. Oracle (2010).

Anchor
Oracle 10b
Oracle 10b

[Oracle 2010b] New I/O APIs. Oracle (2010).

Anchor
Oracle 11a
Oracle 11a
Anchor
Oracle 11
Oracle 11

[Oracle 2011a] Java PKI Programmer's Guide, Oracle, 2011.

Anchor
Oracle 11b
Oracle 11b

[Oracle 2011b] Java Platform™, Standard Edition 6 Documentation, Oracle, 2011.

Anchor
Oracle 11c
Oracle 11c

[Oracle 2011c] Package javax.servelt.http, Oracle  2011.

Anchor
Oracle 11d
Oracle 11d

[Oracle 2011d] Permissions in the Java™ SE 6 Development Kit (JDK), Oracle, 2011.

Anchor
Oracle 12a
Oracle 12a

[Oracle 2012a] API for Privileged Blocks. Oracle (1993/2012).

Anchor
Oracle 12b
Oracle 12b

[Oracle 2012b] "Reading ASCII Passwords from an InputStream Example," Java Cryptography Architecture (JCA) Reference Guide. Oracle (2012).

Anchor
Oracle 12c
Oracle 12c

[Oracle 2012c] Java Platform Standard Edition 7 Documentation. Oracle (2012).

Anchor
Oracle 13a
Oracle 13a

[Oracle 2013a] API for Privileged Blocks, Oracle, 1993/2013.

Anchor
Oracle 13b
Oracle 13b

[Oracle 2013b] Reading ASCII Passwords from an InputStream Example, Java Cryptography Architecture (JCA) Reference Guide, Oracle, 2013.

Anchor
Oracle 13c
Oracle 13c

[Oracle 2013c] Java Platform Standard Edition 7 Documentation, Oracle, 2013.

Anchor
Oracle 13d
Oracle 13d
Anchor
Oracle 13
Oracle 13

[Oracle 2013d] Oracle Security Alert for CVE-2013-0422, Oracle, 2013.

Anchor
OWASP 05
OWASP 05

[OWASP 2005] OWASP (Open Web Application Security Project). A Guide to Building Secure Web Applications and Web Services (2005).

Anchor
OWASP 08
OWASP 08

[OWASP 2008] OWASP. Open Web Application Security Project homepage (2008).

Anchor
OWASP 09
OWASP 09

[OWASP 2009] OWASP. Session Fixation in Java (2009).

Anchor
OWASP 11
OWASP 11

[OWASP 2011] OWASP. Cross-site Scripting (XSS) (2011).

Anchor
OWASP 12
OWASP 12

[OWASP 2012] OWASP. "Why Add Salt?" Hashing Java (2012).

Anchor
OWASP 13
OWASP 13

[OWASP 2013] OWASP. OWASP Guide Project (2011).

Anchor
Paar 09
Paar 09
Anchor
Paar 10
Paar 10

[Paar 2010] Paar, Christof, and Jan Pelzl. Understanding Cryptography: A Textbook for Students and Practitioners. New York: Springer (2009). (Companion website contains online cryptography course that covers hash functions.)

Anchor
Pistoia 04
Pistoia 04

[Pistoia 2004] Pistoia, Marco, Nataraj Nagaratnam, Larry Koved, and Anthony Nadalin. Enterprise Java Security: Building Secure J2EE Applications. Boston: Addison-Wesley (2004).

Anchor
Policy 02
Policy 02
Anchor
Policy 10
Policy 10

[Policy 2010] Default Policy Implementation and Policy File Syntax, Document revision 1.6, Oracle (2010).

Anchor
Reddy 00
Reddy 00

[Reddy 2000] Reddy, Achut. Java Coding Style Guide. (2000).

Anchor
Rogue 00
Rogue 00

[Rogue 2000] Vermeulen, Allan, Scott W. Ambler, Greg Bumgardner, and Eldon Metz. The Elements of Java Style. New York: Cambridge University Press (2000).

Anchor
SCG 10
SCG 10

[SCG 2010] Secure Coding Guidelines for the Java Programming Language, version 4.0. Oracle (2010).

Anchor
Seacord 08
Seacord 08
Anchor
Seacord 09
Seacord 09

[Seacord 2009] Seacord, Robert C. The CERT C Secure Coding Standard. Boston: Addison-Wesley (2009).

Anchor
Seacord 12
Seacord 12

[Seacord 2012] Seacord, Robert, Will Dormann, James McCurley, Philip Miller, Robert Stoddard, David Svoboda, and Jefferson Welch. Source Code Analysis Laboratory (SCALe) (CMU/SEI-2012-TN-013). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2012. http://www.sei.cmu.edu/library/abstracts/reports/12tn013.cfm.

Anchor
Seacord 13
Seacord 13

[Seacord 2013] Seacord, Robert C. Secure Coding in C and C++, 2nd ed. Boston: Addison-Wesley (2013). See http://www.cert.org/books/secure-coding for news and errata.

Anchor
SecuritySpec 08
SecuritySpec 08
Anchor
SecuritySpec 10
SecuritySpec 10

[SecuritySpec 2010] Java Security Architecture. Oracle (2010).

Anchor
Sen 07
Sen 07

[Sen 2007] Sen, Robi. Avoid the Dangers of XPath Injection. IBM developerWorks (2007).

Anchor
Sethi 09
Sethi 09

[Sethi 2009] Sethi, Amit. Proper Use of Java's SecureRandom. Cigital Justice League Blog (2009).

Anchor
Steinberg 05
Steinberg 05
Anchor
Steinberg 08
Steinberg 08

[Steinberg 2008] Steinberg, Daniel H. Using the Varargs Language Feature. Java Developer Connection Tech Tips (2008).

Anchor
Sterbenz 06
Sterbenz 06

[Sterbenz 2006] Sterbenz, Andreas, and Charlie Lai. Secure Coding Antipatterns: Avoiding Vulnerabilities. JavaOne Conference (2006).

Anchor
Sun 06
Sun 06

[Sun 2006] Java™ Platform, Standard Edition 6 Documentation. Oracle (2006).

Anchor
Sutherland 10
Sutherland 10

[Sutherland 2010] Sutherland, Dean F., and William L. Scherlis. Composable Thread Coloring. In Proceedings of the 15th ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming. New York: ACM (2010).

Anchor
Tools 11
Tools 11

[Tools 2011] JDK Tools and Utilities Specification. Oracle (2011).

Anchor
Tutorials 08
Tutorials 08
Anchor
Tutorials 13
Tutorials 13

[Tutorials 2013] The Java Tutorials. Oracle (2013).

Anchor
Unicode 09
Unicode 09

[Unicode 2009] The Unicode Consortium. The Unicode Standard, Version 5.2.0, defined by The Unicode Standard, Version 5.2. Mountain View, CA: The Unicode Consortium (2009).

Anchor
Unicode 13
Unicode 13

[Unicode 2013] The Unicode Consortium. The Unicode Standard, Version 6.2.0, defined by Unicode 6.2.0. Mountain View, CA: The Unicode Consortium (2013).

Anchor
Vermeulen 00
Vermeulen 00

[Vermeulen 2000] Vermeulen, Allan, Scott W. Ambler, Greg Bumgardner, and Eldon Metz. The Elements of Java Style. New York: Cambridge University Press (2000).

Anchor
Viega 05
Viega 05

[Viega 2005] Viega, John. CLASP Reference Guide, Volume 1.1. Secure Software (2005).

Anchor
W3C 03
W3C 03

[W3C 2003] The World Wide Web Security FAQ. World Wide Web Consortium (W3C) (2003).

Anchor
Ware 08
Ware 08

[Ware 2008] Ware, Michael S. Writing Secure Java Code: A Taxonomy of Heuristics and an Evaluation of Static Analysis Tools (thesis). James Madison University (2008 AnchorSeacord 13Seacord 13 [Seacord 2013] Seacord, Robert C. Secure Coding in C and C++, 2nd ed. Boston: Addison-Wesley (2013). See http://www.cert.org/books/secure-coding for news and errata. AnchorSecArch 06SecArch 06 [SecArch 2006] Java 2 Platform Security Architecture. Oracle (2006). AnchorSecurity 06Security 06 [Security 2006] Java Security Guides. Oracle (2006). AnchorSecuritySpec 08SecuritySpec 08 [SecuritySpec 2008] Java Security Architecture. Oracle (2008/2010). AnchorSen 07Sen 07 [Sen 2007] Sen, Robi. Avoid the Dangers of XPath Injection. IBM developerWorks (2007). AnchorSethi 09Sethi 09 [Sethi 2009] Sethi, Amit. Proper Use of Java's SecureRandom. Cigital Justice League Blog (2009). AnchorSpinellis 2006Spinellis 2006 [Spinellis 2006] Spinellis, Diomidis. Code Quality: The Open Source Perspective. Boston: Addison-Wesley, 2006. AnchorSteel 05Steel 05 [Steel 2005] Steel, Christopher, Ramesh Nagappan, and Ray Lai. Core Security Patterns: Best Practices and Strategies for J2EE™, Web Services, and Identity Management. Upper Saddle River, NJ: Prentice Hall PTR (2005). AnchorSteele 1977Steele 1977 [Steele 1977] Steele, Guy Lewis. Arithmetic Shifting Considered Harmful. SIGPLAN Notices 12(11):61–69 (1977). AnchorSteinberg 05Steinberg 05 [Steinberg 2005] Steinberg, Daniel H. Java Developer Connection Tech Tips: Using the Varargs Language Feature. (2005, January 4). AnchorSterbenz 06Sterbenz 06 [Sterbenz 2006] Sterbenz, Andreas, and Charlie Lai. Secure Coding Antipatterns: Avoiding Vulnerabilities. JavaOne Conference (2006). AnchorSteuck 02Steuck 02 [Steuck 2002] Steuck, Gregory. XXE (Xml eXternal Entity) Attack. SecurityFocus (2002). AnchorSun 04Sun 04 [Sun 1999] Why Are Thread.stop, Thread.suspend, Thread.resume and Runtime.runFinalizersOnExit Deprecated? Oracle (1999). AnchorSun 03Sun 03 [Sun 2003] Sun ONE Application Server 7 Performance Tuning Guide. Oracle (2003). AnchorSun 06Sun 06 [Sun 2006] Java™ Platform, Standard Edition 6 Documentation. Oracle (2006). AnchorSun 08Sun 08 [Sun 2008] Java™ Plug-in and Applet Architecture. Oracle (2008). AnchorSutherland 10Sutherland 10 [Sutherland 2010] Sutherland, Dean F., and William L. Scherlis. Composable Thread Coloring. In Proceedings of the 15th ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming. New York: ACM (2010). Anchor Tanenbaum 03 Tanenbaum 03 [Tanenbaum 2003] Tanenbaum, Andrew S., and Maarten Van Steen. Distributed Systems: Principles and Paradigms, 2nd. ed. Upper Saddle River, NJ: Prentice Hall. AnchorTechtalk 07Techtalk 07 [Techtalk 2007] Bloch, Josh, and William Pugh. The Phantom-Reference Menace, Attack of the Clone, Revenge of the Shift. JavaOne Conference (2007). AnchorTomcat 09Tomcat 09 [Tomcat 2009] Tomcat Documentation: Changelog and Security Fixes. Apache Software Foundation (2009). AnchorTools 11Tools 11 [Tools 2011] JDK Tools and Utilities Specification. Oracle (2011). AnchorTutorials 08Tutorials 08 [Tutorials 2008] The Java Tutorials. Oracle (2008). AnchorUnicode 09Unicode 09 [Unicode 2009] The Unicode Consortium. The Unicode Standard, Version 5.2.0, defined by The Unicode Standard, Version 5.2. Mountain View, CA: The Unicode Consortium (2009). AnchorUnicode 13Unicode 13 [Unicode 2013] The Unicode Consortium. The Unicode Standard, Version 6.2.0, defined by Unicode 6.2.0. Mountain View, CA: The Unicode Consortium (2013). AnchorVenners 97Venners 97 [Venners 1997] Venners, Bill. Security and the Class Loader Architecture. Java World.com (1997). AnchorVenners 03Venners 03 [Venners 2003] Venners, Bill. Failure and Exceptions: A Conversation with James Gosling, Part II. (2003). AnchorViega 05Viega 05 [Viega 2005] Viega, John. CLASP Reference Guide, Volume 1.1. Secure Software, 2005. AnchorW3C 03W3C 03 [W3C 2003] The World Wide Web Security FAQ. World Wide Web Consortium (W3C) (2003). AnchorW3C 08W3C 08 [W3C 2008] Bray, Tim, Jean Paoli, C. M. Sperberg-McQueen, Eve Maler, and François Yergeau. Extensible Markup Language (XML) 1.0, 5th ed. W3C Recommendation (2008). AnchorWare 08Ware 08 [Ware 2008] Ware, Michael S. Writing Secure Java Code: A Taxonomy of Heuristics and an Evaluation of Static Analysis Tools (thesis). James Madison University (2008). AnchorWeber 09Weber 09 [Weber 2009] Weber, Chris. Exploiting Unicode-Enabled Software. CanSecWest (2009). AnchorWheeler 03Wheeler 03 [Wheeler 2003] Wheeler, David A. Secure Programming for Linux and UNIX HOWTO (2003).

Anchor
White 03
White 03

[White 2003] White, Tom. Memoization in Java Using Dynamic Proxy Classes. O'Reilly onJava.com (August 20, 2003).

Anchor
Zadegan 09
Zadegan 09

[Zadegan 2009] Zadegan, Bryant. A Lesson on Infinite Loops (2009). AnchorZukowski 04Zukowski 04 [Zukowski 2004] Zukowski, John. Java Developer Connection Tech Tips: Creating Custom Security Permissions (2004).