Win a copy of Think Java: How to Think Like a Computer Scientist this week in the Java in General forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Java Coding Guidelines: How security relates to "Program Understandability"?

 
S G Ganesh
Author
Ranch Hand
Posts: 92
14
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
To the authors of the "Java Coding Guidelines" book: I saw the TOC of your interesting book, and I was not quite convinced that program understandability directly relates to security.
Yes, at a logical (or high-level), any violation of programming best practices is not a good thing since it may confuse the reader, the compiler, etc. that can lead to mistakes during fixes for example consequently leading to security vulnerabilities.
However, does program understandability directly relate to security vulnerabilities? Given the fact that you have devoted considerable number of guidelines in your book on program understandability, can you please clarify the relationship between program understandability and security?
 
Yvette Schat
Ranch Hand
Posts: 83
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Understandability is an element of code quality and a property of good code.

Failing in understandability can lead to leaky abstractions that are just the points
where vulnerabilities mushroom in your code.

Yvette
 
S G Ganesh
Author
Ranch Hand
Posts: 92
14
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Agreed - there is an indirect relationship between understandability and security, the same way how complexity relates to security for example. However, my question is: does program readability or understandability directly affect security (given the fact that so much security guidelines in the book are devoted to program understandability)? The former is an internal quality attribute whereas the latter is more of an external quality attribute.
 
Dhruv Mohindra
Author
Greenhorn
Posts: 11
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi S G Ganesh,
S G Ganesh wrote:To the authors of the "Java Coding Guidelines" book: I saw the TOC of your interesting book, and I was not quite convinced that program understandability directly relates to security.
Yes, at a logical (or high-level), any violation of programming best practices is not a good thing since it may confuse the reader, the compiler, etc. that can lead to mistakes during fixes for example consequently leading to security vulnerabilities.
However, does program understandability directly relate to security vulnerabilities? Given the fact that you have devoted considerable number of guidelines in your book on program understandability, can you please clarify the relationship between program understandability and security?


Convoluted code has a bigger chance of harboring a vulnerability. Take for example the case where a developer constructs a bean class that has a private InputStream member and a corresponding getter/setter. To the unsuspecting, that may sound reasonable, however, resource management (closing the stream) is going to be very unwieldy in such a design. A clear separation of the data access logic and a clean data model would go a long way towards avoiding the denial of service vulnerability caused because of too many open input streams.

The interplay between program understandability and security is magnified in such scenarios.
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 34375
346
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Personally, I like that this book (as opposed to the first one by these authors) has both security and reliability as major themes. That way we don't get into debates about whether something is directly security related.

Convoluted code clearly isn't reliable. It's hard to change without introducing bugs. IN fact broken code can be unreliable while being very secure (code that doesn't work can be quite secure!)
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic