Secure Coding Rules for Java, Part I

Video description

6+ Hours of Video Instruction


Java Professional Development LiveLessons provides developers with practical guidance for developing Java programs that are robust and secure. These LiveLessons complement The CERT Oracle Secure Coding Standard for Java.


In this video training, Robert provides complementary coverage to the rules in The CERT Oracle Secure Coding Standard for Java, demonstrating common Java programming errors and their consequences using Java 8 and Eclipse. Robert describes language behaviors left to the discretion of JVM and compiler implementers and guides developers in the proper use of Java’s APIs including lang, util, Collections, Concurrency Utilities, Logging, Management, Reflection, Regular Expressions, Zip, I/O, JMX, JNI, Math, Serialization, and JAXP.

About the Instructor

Robert C. Seacord is the secure coding technical manager in the CERT Division of Carnegie Mellon’s Software Engineering Institute (SEI) in Pittsburgh, Pennsylvania. Robert is also a professor in the Institute for Software Research and the Information Networking Institute at Carnegie Mellon University. He is the author of eight books on software development including The CERT® Oracle® Secure Coding Standard for Java™ (Addison- Wesley, 2012) and Java™ Coding Guidelines 75 Recommendations for Reliable and Secure Programs (Addison-Wesley, 2013). He has also published more than sixty papers on software security, component-based software engineering, web-based system design, legacy-system modernization, component repositories and search engines, and user interface design and development.

Skill Level

  • Advanced

What You Will Learn

  • How to perform common Java language programming tasks correctly.
  • How to avoid programming errors that are not detected or reported by the compiler.
  • How to develop programs that are robust, reliable, secure, and fast.

Who Should Take This Course

  • Java developers who wish to make the transition from a skilled amateur to a software professional capable of developing code that has to work.

Course Requirements

  • Understanding of programming and development
  • Experience with Java programming
  • Familiarity with Eclipse

Table of Contents

Part I (of III)



Lesson 1: Java Security Concepts

Lesson 2: Input Validation and Data Sanitization (IDS)

Lesson 3: Declarations and Initialization (DCL):

Lesson 4: Expressions (EXP)

Lesson 5: Numeric Types and Operations (NUM)

Lesson 6: Characters and Strings (STR)


Part II (of III)


Lesson 1: Object Orientation (OBJ)

Lesson 2: Methods (MET)

Lesson 3: Exceptional Behavior (ERR)

Lesson 4: Input Output (FIO)

Lesson 5: Serialization (SER)

Lesson 6: Platform Security (SEC)

Lesson 7: Runtime Environment (ENV)


Part III (of III)


Lesson 1: Visibility and Atomicity (VNA) 301

Lesson 2: Locking (LCK)

Lesson 3: Thread APIs (THI)

Lesson 4: Thread Pools (TPS)

Lesson 5: Thread-Safety Miscellaneous (TSM))

Lesson 6: Miscellaneous (MSC)


About LiveLessons Video Training

The LiveLessons Video Training series publishes hundreds of hands-on, expert-led video tutorials covering a wide selection of technology topics designed to teach you the skills you need to succeed. This professional and personal technology video series features world-leading author instructors published by your trusted technology brands: Addison-Wesley, Cisco Press, IBM Press, Pearson IT Certification, Prentice Hall, Sams, and Que. Topics include: IT Certification, Programming, Web Development, Mobile Development, Home and Office Technologies, Business and Management, and more. View all LiveLessons on InformIT at:

Table of contents

  1. Introduction
    1. Secure Coding Rules for Java: Introduction 00:02:10
  2. Lesson 1: Java Security Concepts
    1. Injection attacks 00:15:46
    2. Leaking sensitive data 00:05:04
    3. Denial-of-service attacks 00:08:02
  3. Lesson 2: Input Validation and Data Sanitization (IDS)
    1. IDS00-J. Prevent SQL Injection 00:08:54
    2. IDS01-J. Normalize strings before validating them 00:05:05
    3. IDS03-J. Do not log unsanitized user input 00:03:32
    4. IDS04-J. Safely extract files from ZipInputStream 00:05:10
    5. IDS06-J. Exclude unsanitized user input from format strings 00:05:47
    6. IDS07-J. Do not pass untrusted, unsanitized data to the Runtime.exec() method 00:03:33
    7. IDS08-J. Sanitize untrusted data passed to a regex 00:04:21
    8. IDS11-J. Perform any string modifications before validation 00:07:12
    9. IDS16-J. Prevent XML Injection 00:09:34
    10. IDS17-J. Prevent XML External Entity Attacks 00:06:19
  4. Lesson 3: Declarations and Initialization (DCL):
    1. DCL00-J. Prevent class initialization cycles 00:05:10
  5. Lesson 4: Expressions (EXP)
    1. EXP00-J. Do not ignore values returned by methods 00:02:16
    2. EXP01-J. Never dereference null pointers 00:05:13
    3. EXP02-J. Do not use the Object.equals () method to compare two arrays 00:03:27
    4. EXP03-J. Do not use the equality operators when comparing values of boxed primitives 00:07:44
    5. EXP04-J. Do not pass arguments to certain Java Collections Framework methods that are a different type than the collection parameter type 00:04:38
    6. EXP06-J. Expressions used in assertions must not produce side effects 00:01:35
  6. Lesson 5: Numeric Types and Operations (NUM)
    1. NUM00-J. Detect or prevent integer overflow 00:06:03
    2. NUM01-J. Do not perform bitwise and arithmetic operations on the same data 00:03:43
    3. NUM02-J. Ensure that division and modulo operations do not result in divide-by-zero errors 00:00:54
    4. NUM03-J. Use integer types that can fully represent the possible range of unsigned data 00:02:58
    5. NUM04-J. Do not use floating-point numbers if precise computation is required 00:02:26
    6. NUM05-J. Do not use denormalized numbers 00:03:09
    7. NUM07-J. Do not attempt comparisons with NaN 00:01:27
    8. NUM08-J. Check floating-point inputs for exceptional values 00:03:32
    9. NUM09-J. Do not use floating-point variables as loop counters 00:02:02
    10. NUM10-J. Do not construct BigDecimal objects from floating-point literals 00:01:08
    11. NUM11-J. Do not compare or inspect the string representation of floating-point values 00:01:53
    12. NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data 00:05:01
    13. NUM13-J. Avoid loss of precision when converting primitive integers to floating-point 00:02:57
  7. Lesson 6: Characters and Strings (STR)
    1. STR00-J. Don't form strings containing partial characters from variable-width encodings 00:13:32
    2. STR01-J. Do not assume that a Java char fully represents a Unicode code point 00:10:15
    3. STR02-J. Specify an appropriate locale when comparing locale-dependent data 00:03:44
    4. STR03-J. Do not encode non-character data as a string 00:04:22
    5. STR04-J. Use compatible character encodings when communicating string data between JVMs 00:02:06

Product information

  • Title: Secure Coding Rules for Java, Part I
  • Author(s):
  • Release date: October 2015
  • Publisher(s): Addison-Wesley Professional
  • ISBN: 0134031520