This week's giveaway is in the Spring forum.
We're giving away four copies of REST with Spring (video course) and have Eugen Paraschiv on-line!
See this thread for details.
The moose likes Security and the fly likes Java Coding Guidelines and OWASP Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of REST with Spring (video course) this week in the Spring forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Java Coding Guidelines and OWASP" Watch "Java Coding Guidelines and OWASP" New topic

Java Coding Guidelines and OWASP

Patroklos Papapetrou
Ranch Hand

Joined: Aug 06, 2013
Posts: 32

It's great to see a book dedicated to java security guidelines. I recently took a course about java security and I was wondering how this book categorizes the security flaws. Is it based on the OWASP top 10 categories as described here : ? Do you follow another categorization?
And another question. Do you provide some working examples in the book?
Thanks a lot

Follow me on twitter ( @ppapapetrou76 ) or see my linked profile and connect with me
You can slso subscribe to my technical blog
Robert Seacord

Joined: Nov 12, 2013
Posts: 1

We don't really categorize security flaws in this book. For our coding standards (see we prioritize rules based on a risk assessment. Priorities are assigned using a metric based on Failure Mode, Effects, and Criticality Analysis (FMECA) [IEC 60812]. One aspect of this is the Severity - How serious are the consequences of the rule being ignored:
1 = low (denial-of-service attack, abnormal termination)
2 = medium (data integrity violation, unintentional information disclosure)
3 = high (run arbitrary code, privilege escalation)
This has been sufficient for our purposes, as we are talking about the consequnces of violating the rules / guidelines and the same mistake can have different consequences in a different context. For this guidelines book, we elimianted the risk assessment entirely as these guidelines are meant to produce better code overall and a specific violation of one of these guidelines does not necesarily mean that your code has a vulnerbility.

Campbell Ritchie

Joined: Oct 13, 2005
Posts: 45338
Welcome to the Ranch
It is sorta covered in the JavaRanch Style Guide.
subject: Java Coding Guidelines and OWASP
It's not a secret anymore!