File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Security and the fly likes Java Coding Guidelines: How security relates to Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Java Coding Guidelines: How security relates to "Program Understandability"?" Watch "Java Coding Guidelines: How security relates to "Program Understandability"?" New topic
Author

Java Coding Guidelines: How security relates to "Program Understandability"?

S G Ganesh
Author
Greenhorn

Joined: Jul 29, 2013
Posts: 23
    
    5
To the authors of the "Java Coding Guidelines" book: I saw the TOC of your interesting book, and I was not quite convinced that program understandability directly relates to security.
Yes, at a logical (or high-level), any violation of programming best practices is not a good thing since it may confuse the reader, the compiler, etc. that can lead to mistakes during fixes for example consequently leading to security vulnerabilities.
However, does program understandability directly relate to security vulnerabilities? Given the fact that you have devoted considerable number of guidelines in your book on program understandability, can you please clarify the relationship between program understandability and security?

http://ocpjp7.blogspot.in/
http://www.amazon.com/dp/1430247649/
Yvette Schat
Ranch Hand

Joined: Dec 05, 2011
Posts: 56
Understandability is an element of code quality and a property of good code.

Failing in understandability can lead to leaky abstractions that are just the points
where vulnerabilities mushroom in your code.

Yvette
S G Ganesh
Author
Greenhorn

Joined: Jul 29, 2013
Posts: 23
    
    5
Agreed - there is an indirect relationship between understandability and security, the same way how complexity relates to security for example. However, my question is: does program readability or understandability directly affect security (given the fact that so much security guidelines in the book are devoted to program understandability)? The former is an internal quality attribute whereas the latter is more of an external quality attribute.
Dhruv Mohindra
Author
Greenhorn

Joined: Dec 08, 2009
Posts: 11
    
    5
Hi S G Ganesh,
S G Ganesh wrote:To the authors of the "Java Coding Guidelines" book: I saw the TOC of your interesting book, and I was not quite convinced that program understandability directly relates to security.
Yes, at a logical (or high-level), any violation of programming best practices is not a good thing since it may confuse the reader, the compiler, etc. that can lead to mistakes during fixes for example consequently leading to security vulnerabilities.
However, does program understandability directly relate to security vulnerabilities? Given the fact that you have devoted considerable number of guidelines in your book on program understandability, can you please clarify the relationship between program understandability and security?


Convoluted code has a bigger chance of harboring a vulnerability. Take for example the case where a developer constructs a bean class that has a private InputStream member and a corresponding getter/setter. To the unsuspecting, that may sound reasonable, however, resource management (closing the stream) is going to be very unwieldy in such a design. A clear separation of the data access logic and a clean data model would go a long way towards avoiding the denial of service vulnerability caused because of too many open input streams.

The interplay between program understandability and security is magnified in such scenarios.


You know what I did last summer - Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs.
Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 29237
    
139

Personally, I like that this book (as opposed to the first one by these authors) has both security and reliability as major themes. That way we don't get into debates about whether something is directly security related.

Convoluted code clearly isn't reliable. It's hard to change without introducing bugs. IN fact broken code can be unreliable while being very secure (code that doesn't work can be quite secure!)


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Java Coding Guidelines: How security relates to "Program Understandability"?
 
Similar Threads
Preventing JVM from executing System.exit()
Security Emphasise
Securing your website: A tough job, but someone’s got to do it
Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs
Coding guidelines books