I really like the CERT books. This one is no different, however, it is not one to read from cover to cover, at least not for me. It contains a catalog of rules for programming secure java code. What I have been doing is using it to look up rules about topics found in other resources that I have been using to learn the java environment.
Although the book contains a great index, there is an online version of this book which is really nice. It contains a really sweet search. I have been using that a lot to find the topics I am interested in, marking them in the book, and then reading about them in the book. The online version of the book contains all the code samples found in the book.
The is a nice introduction that you will want to completely read. It gives a really nice overview of java programming security issues and introduces the concepts that can make it safer. The concepts in this chapter introduce the chapters that contain the details rules.
After the introduction the book contains the following chapters. Input Validation and Data Sanitization, Declarations and Initialization, Expressions, Numeric Types and Operations, Object Orientation, Methods, Exceptional Behavior, Visibility and Atomicity, Locking, Thread APIs, Thread Pools, Thread-Safety Miscellaneous, Input Output, Serialization, Platform Security, Runtime Environment, and Miscellaneous.
There are a ton of nice code samples which show the commonly implemented noncompliant solutions and then the compliant solutions. I mentioned above they are all available online.
Although there is a free online version, I am not one to read e-books or anything on the computer I don't have to. I am on it way too much to want to read on it when I don't have to.
I find the author's writing style makes the book an easy read. It is also in a very nice format. Each chapter starts with a list of the rules it covers and a risk assessment summary. They then cover the rules and end with related guidelines and bibliography.
The thing I like most about the book is that although it makes it clear that it does not cover Design and Architecture, Content, Coding style, Tools, and Controversial Rules, I still believe all these areas will improve if you use the advice found in book.
All in all I highly recommend this book to every Java programmer. |
 
The CERT Oracle Secure Coding Standard for Java (SEI Series in Software Engineering) |
Subscribe to JAVA Developer's Journal Email News Alerts
Subscribe via RSS
