It's great to see a book dedicated to java security guidelines. I recently took a course about java security and I was wondering how this book categorizes the security flaws. Is it based on the OWASP top 10 categories as described here : https://www.owasp.org/index.php/Top_10_2013-Top_10 ? Do you follow another categorization?
And another question. Do you provide some working examples in the book?
Thanks a lot
We don't really categorize security flaws in this book. For our coding standards (see www.securecoding.cert.org) we prioritize rules based on a risk assessment. Priorities are assigned using a metric based on Failure Mode, Effects, and Criticality Analysis (FMECA) [IEC 60812]. One aspect of this is the Severity - How serious are the consequences of the rule being ignored:
1 = low (denial-of-service attack, abnormal termination)
2 = medium (data integrity violation, unintentional information disclosure)
3 = high (run arbitrary code, privilege escalation)
This has been sufficient for our purposes, as we are talking about the consequnces of violating the rules / guidelines and the same mistake can have different consequences in a different context. For this guidelines book, we elimianted the risk assessment entirely as these guidelines are meant to produce better code overall and a specific violation of one of these guidelines does not necesarily mean that your code has a vulnerbility.