wood burning stoves*
The moose likes Security and the fly likes Java Coding Guidelines and OWASP Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Java Coding Guidelines and OWASP" Watch "Java Coding Guidelines and OWASP" New topic
Author

Java Coding Guidelines and OWASP

Patroklos Papapetrou
Author
Ranch Hand

Joined: Aug 06, 2013
Posts: 32
    
    5

It's great to see a book dedicated to java security guidelines. I recently took a course about java security and I was wondering how this book categorizes the security flaws. Is it based on the OWASP top 10 categories as described here : https://www.owasp.org/index.php/Top_10_2013-Top_10 ? Do you follow another categorization?
And another question. Do you provide some working examples in the book?
Thanks a lot


Follow me on twitter ( @ppapapetrou76 ) or see my linked profile and connect with me
You can slso subscribe to my technical blog
Robert Seacord
Greenhorn

Joined: Nov 12, 2013
Posts: 1


We don't really categorize security flaws in this book. For our coding standards (see www.securecoding.cert.org) we prioritize rules based on a risk assessment. Priorities are assigned using a metric based on Failure Mode, Effects, and Criticality Analysis (FMECA) [IEC 60812]. One aspect of this is the Severity - How serious are the consequences of the rule being ignored:
1 = low (denial-of-service attack, abnormal termination)
2 = medium (data integrity violation, unintentional information disclosure)
3 = high (run arbitrary code, privilege escalation)
This has been sufficient for our purposes, as we are talking about the consequnces of violating the rules / guidelines and the same mistake can have different consequences in a different context. For this guidelines book, we elimianted the risk assessment entirely as these guidelines are meant to produce better code overall and a specific violation of one of these guidelines does not necesarily mean that your code has a vulnerbility.

Thanks,
rCs
Campbell Ritchie
Sheriff

Joined: Oct 13, 2005
Posts: 39415
    
  28
Welcome to the Ranch
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Java Coding Guidelines and OWASP