Interview and Book Review: The CERT Oracle Secure Coding Standard for Java
The CERT Oracle Secure Coding Standard for Java book covers the rules for secure coding using the Java programming language and its libraries with the goal to help Java developers eliminate insecure coding practices that can lead to vulnerable code.
In Chapter 1, authors discuss the different areas of application security attacks like injection attacks on SQL, XML, XPath and LDAP related code, leaking sensitive data, Denial of Service (DoS) and Concurrency related security vulnerabilities. For the remaining chapters in the book, each chapter follows the same format, first listing all the rules covered on the specific topic. Authors then provide risk assessment summary for each of these rules with ratings on factors like severity, likelihood, and remediation cost. This makes it a good reference for the application developers on secure design and coding topic.
Authors illustrate the security vulnerabilities with code examples of both non-compliant and compliant solutions to show how the secure code differs from the insecure implementation. Some of the secure coding categories discussed in the book include Input Validation and Data Sanitization, Declarations and Initialization, Object Orientation, Locking, Thread APIs, Input Output, Serialization and Platform Security.
InfoQ spoke with book authors Fred Long, Dhruv Mohindra, Robert Seacord, Dean Sutherland, and David Svoboda about the motivation for writing the book, how the security rules discussed in the book compare to other security coding frameworks,
InfoQ: What was the main motivation for writing the book?
The primary motivation for this book was to bring together information about common coding errors in Java that can result in exploitable software vulnerabilities and provide information about how to avoid them.
InfoQ: What is the current state of Java secure programming standards space?
Oracle developed a set of secure coding guidelines which served as a starting point for this effort. The CERT Oracle Secure Coding Standard for Java is the first comprehensive benchmark set of secure coding rules.
InfoQ: There are other Java security architecture and coding frameworks like BSIMM and OWASP's ESAPI. Where does the CERT Secure Java Coding Standard fit with these frameworks?
The CERT Oracle Secure Coding Standard for Java is largely orthogonal to these other efforts. BSIMM is short for Building Security In Maturity Model. The BSIMM is a study of real-world software security initiatives organized so that you can determine where you stand with your software security initiative and how to evolve your efforts over time. ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. Neither of these initiatives replaces the need for a defined set of secure coding rules.
InfoQ: How do the rules discussed in the book compare with OWASP Top Ten Security Vulnerabilities Project ?
The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. That list is language independent and some of the entries do not apply to Java. The CERT Oracle Secure Java Coding Standard is concerned only with the Java programming language and contains specific advice on how to avoid vulnerabilities in that language.
InfoQ: Can you talk about how techniques like static (SAST) and dynamic (DAST) application security testing techniques help with identifying the security defects and vulnerabilities in Java applications?
Static analysis and dynamic analysis are both useful analysis techniques that should be employed when developing programs in Java. Static analysis has the advantage of being able to examine the entire program (this is especially true of byte-code analyzers that also have visibility into third-party libraries) but the analysis itself has limitations that can result in excessive false positives or false negatives. Dynamic analysis is less prone to false positives, but is limited by the path coverage of your testing. There are a variety of useful analysis tools (both static and dynamic) available for Java, however, existing tool support for security is still nascent. We are working with both commercial analyzer vendors and open source projects to expand support for enforcing the rules in The CERT Oracle Secure Coding Standard for Java.
InfoQ: What is the current tool support for automatically check the security vulnerabilities like SQL injection, Cross-site Scripting (XSS) etc in the Java code?
Most static analysis tools perform some sort of taint analysis where untrusted inputs that flow into restricted sinks are diagnosed. This analysis can discover these and other types of injection attacks.
InfoQ: You talk about the automated code analysis as well as manual code inspection as the techniques to uncover and address the security vulnerabilities in the Java code. What do you recommend that the Java architects do in their organizations to get the best of both of these approaches?
Organizations should use tools to identify security issues where possible. But not all security vulnerabilities in Java are amenable to automatic detection. For this reason, organizations should use code inspection as well as automatic tools. The CERT Oracle Secure Coding Standard for Java supports both practices by enumerating and prioritizing the coding errors that frequently result in exploitable vulnerabilities and providing conforming solutions. The utility of these rules should increase as Java analysis tools are better integrated with the coding standard.
InfoQ: What improvements would you like to see made in Java programming language and JDK in the area of security?
The Java programming language was designed with security in mind. As the language and the web have evolved, new problems arose; the CERT Oracle Secure Coding Standard for Java does a good job of cataloging those problems. Some areas for further improvement include integer arithmetic and serialization. For example, there should be an integer arithmetic mode where overflow causes an exception to be thrown. There should also be a mode of Java serialization where the serialized data is automatically encrypted.
The authors also said that secure coding standards are one way to improve the awareness of security problems in Java, reduce vulnerabilities, and improve existing tool support. At the project level, architects may want to supplement the standards with their own guidelines. In the future, they hope to see extensive automated tool support and a significant reduction in the number of vulnerabilities discovered in deployed systems.
This Q&A is based on the book, "TheCERT Oracle Secure Coding Standard for Java" by Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean Sutherland and David Svoboda, part of the Pearson Addison-Wesley Professional SEI Series in Software Engineering (informit.com/sei) ISBN 0321803957, published Sept. 2011, Copyright 2012 Pearson Education, Inc. For more info please visit the publisher site.
About the Authors
|Fred Long is a senior lecturer and director of learning and teaching in the Department of Computer Science, Aberystwyth University in the United Kingdom. He lectures on formal methods; Java, C++, and C programming paradigms and programming-related security issues. He is chairman of the British Computer Society’s Mid-Wales Sub-Branch. Fred has been a Visiting Scientist at the Software Engineering Institute since 1992. Recently, his research has involved the investigation of vulnerabilities in Java.|
Dhruv Mohindra is a senior software engineer at Persistent Systems Limited, India, where he develops monitoring software for widely used enterprise servers. He has worked for CERT at the Software Engineering Institute and continues to collaborate to improve the state of security awareness in the programming community. Dhruv has also worked for Carnegie Mellon University, where he obtained his master of science degree in information security policy and management. He holds an undergraduate degree in computer engineering from Pune University, India, where he researched with Calsoft, Inc., during his academic pursuit. A writing enthusiast, Dhruv occasionally contributes articles to technology magazines and online resources. He brings forth his experience and learning from developing and securing service oriented applications, server monitoring software, mobile device applications, web-based data miners, and designing user-friendly security interfaces.
Robert C. Seacord is a computer security specialist and writer. He is the author of books on computer security, legacy system modernization, and component-based software engineering. Robert manages the Secure Coding Initiative at CERT, located in Carnegie Mellon’s Software Engineering Institute in Pittsburgh, Pennsylvania. CERT, among other security-related activities, regularly analyzes software vulnerability reports and assesses the risk to the Internet and other critical infrastructure. Robert is an adjunct professor in the Carnegie Mellon University School of Computer Science and in the Information Networking Institute. Robert started programming professionally for IBM in 1982, working in communications and operating system software, processor development, and software engineering. Robert also has worked at the X Consortium, where he developed and maintained code for the Common Desktop Environment and the X Window System. Robert has a bachelor’s degree in computer science from Rensselaer Polytechnic Institute.
|Dean F. Sutherland is a senior software security engineer at CERT. Dean received his Ph.D. in software engineering from Carnegie Mellon in 2008. Before his return to academia, he spent 14 years working as a professional software engineer at Tartan, Inc. He spent the last six of those years as a senior member of the technical staff and a technical lead for compiler backend technology. He was the primary active member of the corporate R&D group, was a key instigator of the design and deployment of a new software development process for Tartan, led R&D projects, and provided both technical and project leadership for the 12-person compiler back-end group.|
David Svoboda is a software security engineer at CERT. David has been the primary developer on a diverse set of software development projects at Carnegie Mellon since 1991, ranging from hierarchical chip modeling and social organization simulation to automated machine translation (AMT). His KANTOO AMT software, developed in 1996, is still in production use at Caterpillar. He has over 13 years of Java development experience, starting with Java 2, and his Java projects include Tomcat servlets and Eclipse plug-ins. David is also actively involved in several ISO standards groups: the JTC1/SC22/WG14 group for the C programming language and the JTC1/SC22/WG21 group for C++.
Brandon Holt, Preston Briggs, Luis Ceze, Mark Oskin May 21, 2015
Kai Kreuzer, Olaf Weinmann May 21, 2015