Secure Coding Rules for Java, Part I

Video description

6+ Hours of Video Instruction


Java Professional Development LiveLessons provides developers with practical guidance for developing Java programs that are robust and secure. These LiveLessons complement The CERT Oracle Secure Coding Standard for Java.


In this video training, Robert provides complementary coverage to the rules in The CERT Oracle Secure Coding Standard for Java, demonstrating common Java programming errors and their consequences using Java 8 and Eclipse. Robert describes language behaviors left to the discretion of JVM and compiler implementers and guides developers in the proper use of Java’s APIs including lang, util, Collections, Concurrency Utilities, Logging, Management, Reflection, Regular Expressions, Zip, I/O, JMX, JNI, Math, Serialization, and JAXP.

About the Instructor

Robert C. Seacord is the secure coding technical manager in the CERT Division of Carnegie Mellon’s Software Engineering Institute (SEI) in Pittsburgh, Pennsylvania. Robert is also a professor in the Institute for Software Research and the Information Networking Institute at Carnegie Mellon University. He is the author of eight books on software development including The CERT® Oracle® Secure Coding Standard for Java™ (Addison- Wesley, 2012) and Java™ Coding Guidelines 75 Recommendations for Reliable and Secure Programs (Addison-Wesley, 2013). He has also published more than sixty papers on software security, component-based software engineering, web-based system design, legacy-system modernization, component repositories and search engines, and user interface design and development.

Skill Level

  • Advanced

What You Will Learn

  • How to perform common Java language programming tasks correctly.
  • How to avoid programming errors that are not detected or reported by the compiler.
  • How to develop programs that are robust, reliable, secure, and fast.

Who Should Take This Course

  • Java developers who wish to make the transition from a skilled amateur to a software professional capable of developing code that has to work.

Course Requirements

  • Understanding of programming and development
  • Experience with Java programming
  • Familiarity with Eclipse

Table of Contents

Part I (of III)



Lesson 1: Java Security Concepts

Lesson 2: Input Validation and Data Sanitization (IDS)

Lesson 3: Declarations and Initialization (DCL):

Lesson 4: Expressions (EXP)

Lesson 5: Numeric Types and Operations (NUM)

Lesson 6: Characters and Strings (STR)


Part II (of III)


Lesson 1: Object Orientation (OBJ)

Lesson 2: Methods (MET)

Lesson 3: Exceptional Behavior (ERR)

Lesson 4: Input Output (FIO)

Lesson 5: Serialization (SER)

Lesson 6: Platform Security (SEC)

Lesson 7: Runtime Environment (ENV)


Part III (of III)


Lesson 1: Visibility and Atomicity (VNA) 301

Lesson 2: Locking (LCK)

Lesson 3: Thread APIs (THI)

Lesson 4: Thread Pools (TPS)

Lesson 5: Thread-Safety Miscellaneous (TSM))

Lesson 6: Miscellaneous (MSC)


About LiveLessons Video Training

The LiveLessons Video Training series publishes hundreds of hands-on, expert-led video tutorials covering a wide selection of technology topics designed to teach you the skills you need to succeed. This professional and personal technology video series features world-leading author instructors published by your trusted technology brands: Addison-Wesley, Cisco Press, IBM Press, Pearson IT Certification, Prentice Hall, Sams, and Que. Topics include: IT Certification, Programming, Web Development, Mobile Development, Home and Office Technologies, Business and Management, and more. View all LiveLessons on InformIT at:

Table of contents

  1. Introduction
    1. Secure Coding Rules for Java: Introduction
  2. Lesson 1: Java Security Concepts
    1. Injection attacks
    2. Leaking sensitive data
    3. Denial-of-service attacks
  3. Lesson 2: Input Validation and Data Sanitization (IDS)
    1. IDS00-J. Prevent SQL Injection
    2. IDS01-J. Normalize strings before validating them
    3. IDS03-J. Do not log unsanitized user input
    4. IDS04-J. Safely extract files from ZipInputStream
    5. IDS06-J. Exclude unsanitized user input from format strings
    6. IDS07-J. Do not pass untrusted, unsanitized data to the Runtime.exec() method
    7. IDS08-J. Sanitize untrusted data passed to a regex
    8. IDS11-J. Perform any string modifications before validation
    9. IDS16-J. Prevent XML Injection
    10. IDS17-J. Prevent XML External Entity Attacks
  4. Lesson 3: Declarations and Initialization (DCL):
    1. DCL00-J. Prevent class initialization cycles
  5. Lesson 4: Expressions (EXP)
    1. EXP00-J. Do not ignore values returned by methods
    2. EXP01-J. Never dereference null pointers
    3. EXP02-J. Do not use the Object.equals () method to compare two arrays
    4. EXP03-J. Do not use the equality operators when comparing values of boxed primitives
    5. EXP04-J. Do not pass arguments to certain Java Collections Framework methods that are a different type than the collection parameter type
    6. EXP06-J. Expressions used in assertions must not produce side effects
  6. Lesson 5: Numeric Types and Operations (NUM)
    1. NUM00-J. Detect or prevent integer overflow
    2. NUM01-J. Do not perform bitwise and arithmetic operations on the same data
    3. NUM02-J. Ensure that division and modulo operations do not result in divide-by-zero errors
    4. NUM03-J. Use integer types that can fully represent the possible range of unsigned data
    5. NUM04-J. Do not use floating-point numbers if precise computation is required
    6. NUM05-J. Do not use denormalized numbers
    7. NUM07-J. Do not attempt comparisons with NaN
    8. NUM08-J. Check floating-point inputs for exceptional values
    9. NUM09-J. Do not use floating-point variables as loop counters
    10. NUM10-J. Do not construct BigDecimal objects from floating-point literals
    11. NUM11-J. Do not compare or inspect the string representation of floating-point values
    12. NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data
    13. NUM13-J. Avoid loss of precision when converting primitive integers to floating-point
  7. Lesson 6: Characters and Strings (STR)
    1. STR00-J. Don't form strings containing partial characters from variable-width encodings
    2. STR01-J. Do not assume that a Java char fully represents a Unicode code point
    3. STR02-J. Specify an appropriate locale when comparing locale-dependent data
    4. STR03-J. Do not encode non-character data as a string
    5. STR04-J. Use compatible character encodings when communicating string data between JVMs

Product information

  • Title: Secure Coding Rules for Java, Part I
  • Author(s):
  • Release date: October 2015
  • Publisher(s): Addison-Wesley Professional
  • ISBN: 0134031520