...
Software
...
vulnerability
...
reports
...
and
...
reports
...
of
...
software
...
exploitations
...
continue
...
to
...
grow
...
at
...
an
...
alarming
...
rate,
...
and
...
a
...
significant
...
number
...
of
...
these
...
reports
...
result
...
in
...
technical
...
security
...
alerts.
...
To
...
address
...
this
...
growing
...
threat
...
to
...
the
...
government,
...
corporations,
...
educational
...
institutions,
...
and
...
individuals,
...
systems
...
that
...
are
...
free
...
of
...
software
...
vulnerabilities must be developed.
...
Coding
...
errors
...
cause
...
the
...
majority
...
of
...
software
...
vulnerabilities.
...
For
...
example,
...
64
...
percent
...
of
...
the
...
nearly
...
2,500
...
vulnerabilities
...
in
...
the
...
National
...
Vulnerability
...
Database
...
in
...
2004
...
were
...
caused
...
by
...
programming
...
errors
...
...
...
]
...
.
...
Java
...
is
...
a
...
relatively
...
secure
...
language. It has no explicit pointer manipulation; array and string bounds are automatically checked; attempts at referencing a null pointer are trapped; the arithmetic operations are well defined and platform independent, as are the type conversions. The built-in bytecode verifier ensures that these checks are always in place. Moreover, Java provides comprehensive, fine-grained security mechanisms that can control access to individual files, sockets, and other sensitive resources.
Java program safety, however, can be compromised. The remainder of this chapter describes use cases under which Java programs might be exploited and examples of rules that mitigate against these attacks. Not all of the rules apply to all Java language programs; frequently, their applicability depends on how the software is deployed and your assumptions concerning trust.
Input Validation and Data Sanitization