While sections 0 through 3 are generally applicable across different types of software, most of the guidelines in sections 4 through 9 focus on applications that interact with untrusted code (though some guidelines in these sections are still relevant for other situations).
#Java serialization data version 5 software
Any implementation bug can have serious security ramifications and could appear in any layer of the software stack. These guidelines are of interest to all Java developers, whether they create trusted end-user applications, implement the internals of a security component, or develop shared Java class libraries that perform common programming tasks. It provides a more complete set of security-specific coding guidelines targeted at the Java programming language. This document bridges such publications together and includes coverage of additional topics. Others, such as Software Security: Building Security In, outline guiding principles for software security. Existing publications, such as Effective Java, provide excellent guidelines related to Java software design.
To minimize the likelihood of security vulnerabilities caused by programmer error, Java developers should adhere to recommended coding guidelines. The explicit static typing of Java makes code easy to understand (and facilitates static analysis), and the dynamic checks ensure unexpected conditions result in predictable behavior. These features also make Java programs highly resistant to the stack-smashing and buffer overflow attacks possible in the C and to a lesser extent C++ programming languages.
Java programs and libraries check for illegal state at the earliest opportunity. The language is type-safe, and the runtime provides automatic memory management and bounds-checking on arrays. The Java language and virtual machine provide many features to mitigate common programming mistakes. The choice of language system impacts the robustness of any software program. These bugs can potentially be used to steal confidential data from the machine and intranet, misuse system resources, prevent useful operation of the machine, assist further attacks, and many other malicious activities. In severe cases local programs may be executed or Java security disabled. Such bugs can inadvertently open the very holes that the security architecture was designed to contain. While the Java security architecture can in many cases help to protect users and systems from hostile or misbehaving code, it cannot defend against implementation bugs that occur in trusted code. Java comes with its own unique set of security challenges. One of the main design considerations for the Java platform is to provide a restricted environment for executing code with different permission levels.
0 kommentar(er)
