SEI CERT Oracle Coding Standard for Java

The Java rules and recommendations in this wiki are a work in progress and reflect the current thinking of the secure coding community. Because this
is a development website, many pages are incomplete or contain errors. As rules and recommendations mature, they are published in report or book
form as official releases. These releases are issued as dictated by the needs and interests of the secure software development community.

Create a sign-in account if you want to comment on existing content. If you wish to be more involved and directly edit content on the site, you still need
an account, but you'll also need to request edit privileges.

Front Matter Front Matter Secure Java Coding Books

Rule. Preface Content by label There are two books available that cover
Java: one for rules and the other for
There is no content with the specified labels guidelines.
Rules The CERT Oracle
Secure Coding
Rule 00. Input Validation and Data Recommendations Standard for Java
Sanitization (IDS) provides rules for Java
Rule 01. Declarations and Rec. 00. Input Validation and Data Platform Standard
Initialization (DCL) Sanitization (IDS) Edition 6 and Java SE 7.
Rule 02. Expressions (EXP) Rec. 01. Declarations and
Rule 03. Numeric Types and Initialization (DCL)
Operations (NUM) Rec. 02. Expressions (EXP)
Rule 04. Characters and Strings Rec. 03. Numeric Types and
(STR) Operations (NUM)
Java Coding
Rule 05. Object Orientation (OBJ) Rec. 04. Characters and Strings
Guidelines: 75
Rule 06. Methods (MET) (STR)
Recommendations for
Rule 07. Exceptional Behavior (ERR) Rec. 05. Object Orientation (OBJ)
Reliable and Secure
Rule 08. Visibility and Atomicity (VNA) Rec. 06. Methods (MET)
Programs provides
Rule 09. Locking (LCK) Rec. 07. Exceptional Behavior (ERR)
guidelines,
Rule 10. Thread APIs (THI) Rec. 13. Input Output (FIO)
recommendations, and
Rule 11. Thread Pools (TPS) Rec. 15. Platform Security (SEC)
examples to enable the
Rule 12. Thread-Safety Rec. 18. Concurrency (CON)
creation of reliable,
Miscellaneous (TSM) Rec. 49. Miscellaneous (MSC)
robust, fast,
Rule 13. Input Output (FIO) maintainable, and secure code.
Rule 14. Serialization (SER)
Rule 15. Platform Security (SEC)
Rule 16. Runtime Environment (ENV)
Rule 17. Java Native Interface (JNI) Rec. AA. References Source Code Analysis Laboratory
Rule 49. Miscellaneous (MSC) Rec. BB. Definitions
Rule 50. Android (DRD) Rule or Rec. CC. Analyzers (SCALe)
Rule or Rec. DD. Related Guidelines
Rule or Rec. EE. Risk Assessments SCALe offers conformance testing of
Java language software systems against
the CERT Oracle Secure Coding Standard
Rule AA. References for Java.
Rule BB. Glossary
Rule or Rec. CC. Analyzers
Rule or Rec. DD. Related Guidelines
Rule or Rec. EE. Risk Assessments Contact Us

Contact us if you

have questions about the Secure

Coding wiki
have recommendations
for standards in development
want to request privileges to
participate in standards
development

Thank You!

We acknowledge the contributions of the

following folks , and we look forward to
seeing your name here as well.
Rules vs. Recomendations

This coding standard consists of rules and recommendations, collectively referred to as guidelines. Rules
are meant to provide normative requirements for code, whereas recommendations are meant to provide
guidance that, when followed, should improve the safety, reliability, and security of software systems. Lea
rn more about the differences.

Linking to Our Pages

Link to guidelines using the Tiny Link under ToolsLink to this Page... (This URL will not change if the
name of the guideline changes.)
Information for Editors

To eliminate a section from the lists above, label it section and void.
To have a section listed as a recommendation, label it section and recommendation.
To have a section listed as a rule, label it section and rule.