4. Secure Coding
Guidelines
• Avoid duplication
• Restrict privileges
• Establish trust boundaries
• Minimize the number of permission checks
• Encapsulate
5. Denial of Service
• Release resources in all cases
• "Zip bombs"
• "Billion laughs attack"
• "Log bombs"
• Infinite loops: "Messages poison”
• Resource limit checks should not suffer from
integer overflow
6. Confidential Information
• Purge sensitive information from
exceptions
• Do not log highly sensitive information
• Consider purging highly sensitive from
memory after use
7. Injection & Inclusion
• Avoid dynamic SQL
• SQL Injection
• XML and HTML generation requires care
• Cross Site Scripting(XSS)
• Restrict XML inclusion
• XML External Entity (XXE)
8. Accessibility & Extensibility
• Limit the accessibility of classes, interfaces,
methods, and fields.
• Limit the accessibility of namespace.
• Isolate unrelated code.
• Limit the extensibility of classes and methods.
• Understand how a superclass can affect
subclass behavior.
11. Mutability
• Prefer immutability for value types
• Create copies of mutable output values
• Make public static fields as constants
• Do not expose mutable statics
12. Object Construction
• Avoid exposing constructors of sensitive
classes
• Prevent the unauthorized construction of
sensitive classes
• Prevent constructors from calling methods
that can be overridden
13. Serialization & Deserialization
• Avoid serialization for security-sensitive
classes
• Guard sensitive data during serialization
• View deserialization the same as object
construction
14. Access Control
• Understand how permissions are checked
• Beware of callback (Lifecycle) methods
•
Callback methods are generally invoked from the system
with FULL permissions
• Be careful caching results of potentially
privileged operations