Java coding guidelines: 75 recommendations for reliable and secure programs (2014)
References
[Allen 2000] Vermeulen, Allan, Scott W. Ambler, Greg Bumgardner, Eldon Metz, Trevor Misfeldt, Jim Shur, and Patrick Thompson. The Elements of Java™ Style. New York, NY: Cambridge University Press (2000).
[Apache 2013] Apache Tika: A Content Analysis Toolkit. The Apache Software Foundation (2013). http://tika.apache.org/index.html
[API 2006] Java™ Platform, Standard Edition 6 API Specification. Oracle (2006/2011). http://docs.oracle.com/javase/6/docs/api/
[API 2013] Java™ Platform, Standard Edition 7 API Specification. Oracle (2013). http://docs.oracle.com/javase/7/docs/api/index.html
[Arnold 2006] Arnold, Ken, James Gosling, and David Holmes. The Java™ Programming Language, Fourth Edition. Boston, MA: Addison-Wesley (2006).
[Bloch 2001] Bloch, Joshua. Effective Java™: Programming Language Guide. Boston, MA: Addison-Wesley (2001).
[Bloch 2005] Bloch, Joshua, and Neal Gafter. Java™ Puzzlers: Traps, Pitfalls, and Corner Cases. Boston, MA: Addison-Wesley (2005).
[Bloch 2008] Bloch, Joshua. Effective Java™: Programming Language Guide, Second Edition. Boston, MA: Addison-Wesley (2008).
[Campione 1996] Campione, Mary, and Kathy Walrath. The Java™ Tutorial: Object-Oriented Programming for the Internet. Reading, MA: Addison-Wesley (1996).
[Chan 1998] Chan, Patrick, Rosanna Lee, and Douglas Kramer. The Java™ Class Libraries: Supplement for the Java™ 2 Platform, Volume 1, Second Edition. Upper Saddle River, NJ: Prentice Hall (1998).
[Conventions 2009] Code Conventions for the Java Programming Language. Oracle (2009). www.oracle.com/technetwork/java/codeconv-138413.html
[Coomes 2007] Coomes, John, Peter Kessler, and Tony Printezis. “Garbage Collection–Friendly Programming.” JavaOne Conference (2007). http://docs.huihoo.com/javaone/2007/java-se/TS-2906.pdf
[Core Java 2003] Horstmann, Cay S., and Gary Cornell. Core Java™ 2, Volume I: Fundamentals, Seventh Edition. Upper Saddle River, NJ: Prentice Hall (2003).
[Coverity 2007] Coverity Prevent™ User’s Manual (3.3.0). Coverity (2007).
[Daconta 2003] Daconta, Michael C., Kevin T. Smith, Donald Avondolio, and W. Clay Richardson. More Java Pitfalls: 50 New Time-Saving Solutions and Workarounds. Indianapolis, IN: Wiley (2003).
[Davis 2008] Unicode Standard Annex #15: Unicode Normalization Forms, ed. Mark Davis and Ken Whistler. Unicode (2008). http://unicode.org/reports/tr15/
[ESA 2005] Java Coding Standards. ESA Board for Software Standardisation and Control (BSSC) (2005). http://software.ucv.ro/~eganea/SoftE/JavaCodingStandards.pdf
[FindBugs 2008] FindBugs Bug Descriptions (2008/2011). http://findbugs.sourceforge.net/bugDescriptions.html
[Flanagan 2005] Flanagan, David. Java™ in a Nutshell, Fifth Edition. Sebastopol, CA: O’Reilly (2005).
[Fortify 2013] A Taxonomy of Coding Errors That Affect Security, “Java/JSP.” Fortify Software (2013). www.hpenterprisesecurity.com/vulncat/en/vulncat/index.html
[GNU 2013] GNU Coding Standards, §5.3, “Clean Use of C Constructs.” Richard Stallman and other GNU Project volunteers (2013). www.gnu.org/prep/standards/standards.html#Syntactic-Conventions
[Goetz 2004] Goetz, Brian. Java Theory and Practice: Garbage Collection and Performance: Hints, Tips, and Myths about Writing Garbage Collection-Friendly Classes. IBM developerWorks (2004). www.ibm.com/developerworks/java/library/j-jtp01274/index.html
[Goetz 2006] Goetz, Brian, Tim Peierls, Joshua Bloch, Joseph Bowbeer, David Holmes, and Doug Lea. Java Concurrency in Practice. Boston, MA: Addison-Wesley (2006).
[Goetz 2007] Goetz, Brian. Java Theory and Practice: Managing Volatility: Guidelines for Using Volatile Variables. IBM developerWorks (2007). www.ibm.com/developerworks/java/library/j-jtp06197/index.html
[Gong 2003] Gong, Li, Gary Ellison, and Mary Dageforde. Inside Java™ 2 Platform Security: Architecture, API Design, and Implementation, Second Edition. Boston, MA: Addison-Wesley (2003).
[Goodliffe 2007] Goodliffe, Pete. Code Craft: The Practice of Writing Excellent Code. San Francisco, CA: No Starch Press, (2007).
[Grand 2002] Grand, Mark. Patterns in Java™, Volume 1: A Catalog of Reusable Design Patterns Illustrated with UML, Second Edition. Indianapolis, IN: Wiley (2002).
[Grubb 2003] Grubb, Penny, and Armstrong A. Takang. Software Maintenance: Concepts and Practice, Second Edition. River Edge, NJ: World Scientific (2003).
[Guillardoy 2012] Guillardoy, Esteban. Java 0Day Analysis (CVE-2012-4681). (2012). http://immunityproducts.blogspot.com.ar/2012/08/java-0day-analysis-cve-2012-4681.html
[Hatton 1995] Hatton, Les. Safer C: Developing Software for High-integrity and Safety-critical Systems. New York, NY: McGraw-Hill, (1995).
[Hawtin 2006] Hawtin, Thomas. [drlvm][kernel_classes] ThreadLocal Vulnerability. MarkMail (2006). http://markmail.org/message/4scermxmn5oqhyi
[Havelund 2009] Havelund, Klaus, and Al Niessner. JPL Coding Standard, Version 1.1. California Institute of Technology (2009). http://lars-lab.jpl.nasa.gov/JPL_Coding_Standard_Java.pdf
[Hirondelle 2013] Passwords Never Clear in Text. Hirondelle Systems (2013). www.javapractices.com/topic/TopicAction.do?Id=216
[ISO/IEC 9126-1:2001] Software Engineering—Product Quality, Part 1, Quality Model (ISO/IEC 9126-1:2001). Geneva, Switzerland: International Organization for Standardization (2001).
[ISO/IEC/IEEE 24765:2010] Software Engineering—Product Quality, Part 1, Quality Model (ISO/IEC/IEEE 24765:2010). Geneva, Switzerland: International Organization for Standardization (2010).
[JLS 2013] Gosling, James, Bill Joy, Guy Steele, Gilad Bracha, and Alex Buckley. The Java Language Specification: Java SE 7 Edition. Oracle America, Inc. (2013). http://docs.oracle.com/javase/specs/jls/se7/html/index.html
[JVMSpec 1999] The Java™ Virtual Machine Specification, Second Edition. Sun Microsystems, Inc. (1999). http://docs.oracle.com/javase/specs/
[Kalinovsky 2004] Kalinovsky, Alex. Covert Java™: Techniques for Decompiling, Patching, and Reverse Engineering. Indianapolis, IN: SAMS (2004).
[Knoernschild 2002] Knoernschild, Kirk. Java™ Design: Objects, UML, and Process. Boston, MA: Addison-Wesley (2002).
[Lea 2000] Lea, Doug. Concurrent Programming in Java™: Design Principles and Patterns, Second Edition. Boston, MA: Addison-Wesley (2000).
[Lo 2005] Lo, Chia-Tien Dan, Witawas Srisa-an, and J. Morris Chang. “Security Issues in Garbage Collection.” STSC Crosstalk (2005). www.eng.auburn.edu/users/hamilton/security/papers/STSC%20CrossTalk%20-%20Security%20Issues%20in%20Garbage%20Collection%20-%20Oct%a02005.pdf
[Long 2012] Long, Fred, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, and David Svoboda. The CERT® Oracle® Secure Coding Standard for Java™. Boston, MA: Addison-Wesley (2012).
[Manion 2013] Manion, Art. “Anatomy of Java Exploits,” CERT/CC Blog (2013). www.cert.org/blogs/certcc/2013/01/anatomy_of_java_exploits.html
[McGraw 1999] McGraw, Gary, and Ed Felten. Securing Java: Getting Down to Business with Mobile Code, Second Edition. New York, NY: Wiley (1999).
[Mettler 2010] Mettler, Adrian, and David Wagner. “Class Properties for Security Review in an Object-Capability Subset of Java.” Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS ’10). New York, NY: ACM (2010). DOI: 10.1145/1814217.1814224. http://dl.acm.org/citation.cfm?doid=1814217.1814224
[Miller 2009] Miller, Alex. Java™ Platform Concurrency Gotchas. JavaOne Conference (2009).
[Netzer 1992] Netzer, Robert H. B., and Barton P. Miller. “What Are Race Conditions? Some Issues and Formalization.” ACM Letters on Programming Languages and Systems 1(1):74–88 (1992). http://dl.acm.org/citation.cfm?id=130616.130623
[Oaks 2001] Oaks, Scott. Java™ Security. Sebastopol, CA: O’Reilly (2001).
[Oracle 2010a] Java SE 6 HotSpot™ Virtual Machine Garbage Collection Tuning. Oracle (2010). www.oracle.com/technetwork/java/javase/gc-tuning-6-140523.html
[Oracle 2010b] New I/O APIs. Oracle (2010). http://docs.oracle.com/javase/1.5.0/docs/guide/nio/
[Oracle 2011a] Java™ PKI Programmer’s Guide. Oracle (2011). http://docs.oracle.com/javase/6/docs/technotes/guides/security/certpath/CertPathProgGuide.html
[Oracle 2011b] Java SE 6 Documentation. Oracle (2011). http://docs.oracle.com/javase/6/docs/index.html
[Oracle 2011c] Package javax.servlet.http.Oracle (2011). http://docs.oracle.com/javaee/6/api/javax/servlet/http/package-summary.html
[Oracle 2011d] Permissions in the Java™ SE 6 Development Kit (JDK). Oracle (2011). http://docs.oracle.com/javase/6/docs/technotes/guides/security/permissions.html
[Oracle 2013a] API for Privileged Blocks. Oracle (2013). http://download.java.net/jdk8/docs/technotes/guides/security/doprivileged.html
[Oracle 2013b] “Reading ASCII Passwords from an InputStream Example,” Java™ Cryptography Architecture (JCA) Reference Guide. Oracle (2013). http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html#ReadPassword
[Oracle 2013c] Java Platform Standard Edition 7 Documentation. Oracle (2013). http://docs.oracle.com/javase/7/docs/
[Oracle 2013d] Oracle Security Alert for CVE-2013-0422. Oracle (2013). www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
[OWASP 2009] Session Fixation in Java. OWASP (2009). https://www.owasp.org/index.php/Session_Fixation_in_Java
[OWASP 2011] Cross-site Scripting (XSS). OWASP (2011). www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
[OWASP 2012] “Why Add Salt?” Hashing Java. OWASP (2012). www.owasp.org/index.php/Hashing_Java
[OWASP 2013] OWASP Guide Project. The Open Web Application Security Project (OWASP) (2013). www.owasp.org/index.php/OWASP_Guide_Project
[Paar 2010] Paar, Christof, and Jan Pelzl. Understanding Cryptography: A Textbook for Students and Practitioners. Heidelberg, NY: Springer (2010).
[Pistoia 2004] Pistoia, Marco, Nataraj Nagaratnam, Larry Koved, and Anthony Nadalin. Enterprise Java™ Security: Building Secure J2EE™ Applications. Boston, MA: Addison-Wesley (2004).
[Policy 2010] Default Policy Implementation and Policy File Syntax, Document revision 1.6. Oracle (2010). http://docs.oracle.com/javase/1.4.2/docs/guide/security/PolicyFiles.html
[SCG 2010] Secure Coding Guidelines for the Java Programming Language, Version 4.0. Oracle (2010). www.oracle.com/technetwork/java/seccodeguide-139067.html
[Seacord 2009] Seacord, Robert C. The CERT® C Secure Coding Standard. Boston, MA: Addison-Wesley (2009).
[Seacord 2012] Seacord, Robert C., Will Dormann, James McCurley, Philip Miller, Robert Stoddard, David Svoboda, and Jefferson Welch. Source Code Analysis Laboratory (SCALe) (CMU/SEI-2012-TN-013). Pittsburgh, PA: Carnegie Mellon University (2012).www.sei.cmu.edu/library/abstracts/reports/12tn013.cfm
[Seacord 2013] Seacord, Robert C. Secure Coding in C and C++, Second Edition. Boston, MA: Addison-Wesley (2013). See www.cert.org/books/secure-coding for news and errata.
[SecuritySpec 2010] Java Security Architecture. Oracle (2010). http://docs.oracle.com/javase/1.5.0/docs/guide/security/spec/security-specTOC.fm.html
[Sen 2007] Sen, Robi. Avoid the Dangers of XPath Injection. IBM developerWorks (2007). www.ibm.com/developerworks/xml/library/x-xpathinjection/index.html
[Sethi 2009] Sethi, Amit. Proper Use of Java’s SecureRandom. Cigital Justice League Blog (2009). www.cigital.com/justice-league-blog/2009/08/14/proper-use-of-javas-securerandom/
[Steinberg 2008] Steinberg, Daniel H. Using the Varargs Language Feature. Java Developer Connection Tech Tips (2008). www.java-tips.org/java-se-tips/java.lang/using-the-varargs-language-feature.html
[Sterbenz 2006] Sterbenz, Andreas, and Charlie Lai. Secure Coding Antipatterns: Avoiding Vulnerabilities. JavaOne Conference (2006). https://confluence.ucdavis.edu/confluence/download/attachments/16218/ts-1238.pdf?version=1&modificatio ndate=1180213302000
[Sutherland 2010] Sutherland, Dean F., and William L. Scherlis. “Composable Thread Coloring.” In Proceedings of the 15th ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming (PPoPP ‘10). New York, NY: ACM (2010). http://dl.acm.org/citation.cfm?doid=1693453.1693485
[Tutorials 2013] The Java™ Tutorials. Oracle (2013). http://docs.oracle.com/javase/tutorial/index.html
[Unicode 2013] Unicode 6.2.0. Mountain View, CA: The Unicode Consortium (2013). www.unicode.org/versions/Unicode6.2.0/
[Viega 2005] Viega, John. CLASP Reference Guide, Volume 1.1. Secure Software, 2005.
[W3C 2003] The World Wide Web Security FAQ. World Wide Web Consortium (W3C) (2003). www.w3.org/Security/Faq/wwwsf2.html
[Ware 2008] Ware, Michael S. Writing Secure Java Code: A Taxonomy of Heuristics and an Evaluation of Static Analysis Tools. James Madison University (2008). http://mikeware.us/thesis/
[Zadegan 2009] Zadegan, Bryant. A Lesson on Infinite Loops. winJade.net (2009). http://winjade.net/2009/01/lesson-on-infinite-loops/