Author/s : Fred Long et al
Publisher : Addison-Wesley Professional
Category :
Advanced Java
Review by : Jeanne Boyarsky
Rating : 8 horseshoes
"The CERT Oracle Secure Coding Standard for Java." The name says it all. This is a book about security, no? Actually, it is not. It is a book about security and quality. The authors don't define security in quite the same way I do. For example calling string.replace() and ignoring the result is incorrect. However it is a quality issue. I'm not convinced the relationship to security.
In any case, the practices are excellent. They are clearly documented in the form of:
attack/flaw
bad code example
good code example
I think the code examples could have been a little clearer. Maybe highlight the differences between the two in longer snippets.
I particularly liked the tables where they show severity, likelihood, cost to fix, priority and level. I also like that they call attention to which can be easily found by static analysis.
The focus is on core
Java (not JEE/web) and a lot of emphasis is placed on threading. The book calls attention to different versions of Java and includes Java 7. Overall a worthwhile addition to the bookshelf.
---
Disclosure: I received a copy of this book from the publisher in
exchange for writing this review on behalf of CodeRanch.
More info at Amazon.com