Skip to main content
assistive.skiplink.to.breadcrumbs
assistive.skiplink.to.header.menu
assistive.skiplink.to.action.menu
assistive.skiplink.to.quick.search
Log in
Confluence
Spaces
Hit enter to search
Help
Online Help
Keyboard Shortcuts
Feed Builder
What’s new
Available Gadgets
About Confluence
Log in
SEI CERT Oracle Coding Standard for Java
Pages
Boards
Space shortcuts
Dashboard
Secure Coding Home
Android
C
C++
Java
Perl
Page tree
Browse pages
Configure
Space tools
View Page
A
t
tachments (4)
Page History
Page Information
View in Hierarchy
View Source
Export to PDF
Export to Word
Pages
Old Categories
Java Coding Guidelines
Page Information
Title:
Java Coding Guidelines
Author:
Joe McManus MGR
Jan 12, 2007
Last Changed by:
Sandy Shrum
Mar 05, 2015
Tiny Link:
(useful for email)
https://wiki.sei.cmu.edu/confluence/x/eTZGBQ
Export As:
Word
·
PDF
Incoming Links
SEI CERT Oracle Coding Standard for Java (81)
Page:
DCL51-J. Do not shadow or obscure identifiers in subscopes
Page:
IDS52-J. Prevent code injection
Page:
OBJ52-J. Write garbage-collection-friendly code
Page:
ERR54-J. Use a try-with-resources statement to safely handle closeable resources
Page:
IDS51-J. Properly encode or escape output
Page:
DCL60-J. Avoid cyclic dependencies between packages
Page:
MSC56-J. Detect and remove superfluous code and values
Page:
FIO51-J. Identify files using multiple file attributes
Page:
MSC51-J. Do not place a semicolon immediately following an if, for, or while condition
Page:
DCL54-J. Use meaningful symbolic constants to represent literal values in program logic
Page:
SEC51-J. Minimize privileged code
Page:
5. Programmer Misconceptions
Page:
DCL58-J. Enable compile-time type checking of variable arity parameter types
Page:
MET53-J. Ensure that the clone() method calls super.clone()
Page:
DCL50-J. Use visually distinct identifiers
Page:
NUM52-J. Be aware of numeric promotion behavior
Page:
ERR53-J. Try to gracefully recover from system errors
Page:
IDS55-J. Understand how escape characters are interpreted when strings are loaded
Page:
MET55-J. Return an empty array or collection instead of a null value for methods that return an array or collection
Page:
EXP54-J. Understand the differences between bitwise and logical operators
Page:
IDS56-J. Prevent arbitrary file upload
Page:
MET50-J. Avoid ambiguous or confusing uses of overloading
Page:
IDS54-J. Prevent LDAP injection
Page:
OBJ57-J. Do not rely on methods that can be overridden by untrusted code
Page:
CON52-J. Document thread-safety and use annotations where applicable
Page:
DCL53-J. Minimize the scope of variables
Page:
NUM50-J. Convert integers to floating point for floating-point operations
Page:
MET56-J. Do not use Object.equals() to compare cryptographic keys
Page:
MSC53-J. Carefully design interfaces before releasing them
Page:
NUM51-J. Do not assume that the remainder operator always returns a nonnegative result for integral operands
Page:
MSC59-J. Limit the lifetime of sensitive data
Page:
DCL59-J. Do not apply public final to constants whose value might change in later releases
Page:
MSC50-J. Minimize the scope of the @SuppressWarnings annotation
Page:
FIO50-J. Do not make assumptions about file creation
Page:
MET51-J. Do not use overloaded methods to differentiate between runtime types
Page:
MSC63-J. Ensure that SecureRandom is properly seeded
Page:
SEC55-J. Ensure that security-sensitive methods are called with validated arguments
Page:
MSC61-J. Do not use insecure or weak cryptographic algorithms
Page:
MSC60-J. Do not use assertions to verify the absence of runtime errors
Page:
SEC50-J. Avoid granting excess privileges
Page:
1. Security
Page:
OBJ50-J. Never confuse the immutability of a reference with that of the referenced object
Page:
OBJ55-J. Remove short-lived objects from long-lived container objects
Page:
DCL57-J. Avoid ambiguous overloading of variable arity methods
Page:
00. Input Validation and Data Sanitization (IDS)
Page:
MSC52-J. Finish every set of statements associated with a case label with a break statement
Page:
OBJ51-J. Minimize the accessibility of classes and their members
Page:
Rec.: All Guidelines with Classification
Page:
SEC53-J. Define custom security permissions for fine-grained security
Page:
SEC54-J. Create a secure sandbox using a security manager
Page:
MSC55-J. Use comments consistently and in a readable fashion
Page:
FIO53-J. Use the serialization methods writeUnshared() and readUnshared() with care
Page:
ERR50-J. Use exceptions only for exceptional conditions
Page:
ERR52-J. Avoid in-band error indicators
Page:
MET52-J. Do not use the clone() method to copy untrusted method parameters
Page:
SEC57-J. Do not let untrusted code misuse privileges of callback methods
Page:
EXP52-J. Use braces for the body of an if, for, or while statement
Page:
EXP50-J. Do not confuse abstract object equality with reference equality
Page:
MSC62-J. Store passwords using a hash function
Page:
IDS53-J. Prevent XPath Injection
Page:
SEC52-J. Do not expose methods that use reduced-security checks to untrusted code
Page:
4. Program Understandability
Page:
MSC58-J. Prefer using iterators over enumerations
Page:
MET54-J. Always provide feedback about the resulting value of a method
Page:
MSC54-J. Avoid inadvertent wrapping of loop counters
Page:
EXP55-J. Use the same type for the second and third operands in conditional expressions
Page:
SEC56-J. Do not serialize direct handles to system resources
Page:
CON51-J. Do not assume that the sleep(), yield(), or getState() methods provide synchronization semantics
Page:
EXP51-J. Do not perform assignments in conditional expressions
Page:
2. Defensive Programming
Page:
MSC57-J. Strive for logical completeness
Page:
DCL56-J. Do not attach significance to the ordinal associated with an enum
Page:
3. Reliability
Page:
EXP53-J. Use parentheses for precedence of operation
Page:
DCL52-J. Do not declare more than one variable per declaration
Page:
FIO52-J. Do not store unencrypted sensitive information on the client side
Page:
OBJ56-J. Provide sensitive mutable classes with unmodifiable wrappers
Page:
CON50-J. Do not assume that declaring a reference volatile guarantees safe publication of the members of the referenced object
Page:
OBJ53-J. Do not use direct buffers for short-lived, infrequently used objects
Page:
ERR51-J. Prefer user-defined exceptions over more general exception types
Page:
DCL55-J. Properly encode relationships in constant definitions
Hierarchy
Parent Page
Page:
Old Categories
Labels
There are no labels assigned to this page.
Recent Changes
Time
Editor
Mar 05, 2015 10:58
Sandy Shrum
View Changes
Mar 05, 2015 10:57
Sandy Shrum
View Changes
Reverted from v. 106
Mar 05, 2015 08:57
Barbara White
View Changes
Mar 05, 2015 08:52
Sandy Shrum
View Changes
Mar 05, 2015 08:47
Sandy Shrum
View Page History
Outgoing Links
External Links (7)
www.cert.org/books/java-coding-guidelines/
https://www.securecoding.cert.org/confluence/display/jg/App…
www.cert.org/tech_tips/
https://www.securecoding.cert.org/confluence/display/jg/Pre…
www.cert.org/secure-coding
https://www.securecoding.cert.org/confluence/display/seccod…
www.cert.org/
SEI CERT Oracle Coding Standard for Java (1)
Page:
Java Coding Guidelines
SEI CERT C Coding Standard (1)
Home page:
SEI CERT C Coding Standard
Overview
Content Tools
{"serverDuration": 784, "requestCorrelationId": "8f2578c9a6a8b863"}
