• Post Reply Bookmark Topic Watch Topic
  • New Topic

Secure coding in Java ?  RSS feed

 
Ranch Hand
Posts: 50
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I saw a course somewhere on secure coding with C. So, are there any good beginner level resources to learn how to make secure code in Java ? Can TDD be considered a form of secure coding ?
 
Rancher
Posts: 42972
73
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
TDD has nothing to do with security - it applies to all code. Some thoughts of mine can be found in http://www.coderanch.com/t/634517/Security/Book-Tutorial-recommendation-Java-Security.
 
Bartender
Posts: 10575
66
Eclipse IDE Hibernate Ubuntu
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
sid smith wrote:So, are there any good beginner level resources to learn how to make secure code in Java ?

It really depends on what you mean by "secure code": Do you mean code that can't be reverse-engineered or "cracked" (ie, 'intellectual' security), or code that prevents people from doing something stupid, like extending classes that were never meant to be extended or changing data that wasn't meant to be changed. The two things are completely different.

Ulf's link deals with the first, and there are any number of code obfuscators out there; but TBH, at your stage, I wouldn't worry about it at the moment. It'll only distract you.

As for the second, here's are a few basic tips that might help:
1. Always, always, ALWAYS make instance fields private.
2. Unless you know that you're gong to need to change them, make them final as well.
3. Make your classes final unless you know that you're going to need to subclass them.
4. Make your methods final unless you know that you're going to need to override them.

Do you see a pattern here?
Don't allow anyone to extend, override, change or even see anything you don't specifically intend them to; and, for that, 'final' and 'private' are your friends.

Personally, I wish that Java had made them the default, not the exception; but they didn't, so you'll just have to remember to do it. The great thing about 'final' is that you can always remove it later if you find it too restrictive; but you can't add it.

There are many other things to know about, such as defensive copying, but I reckon those 4 should be enough to get you started.

HIH

Winston
 
Marshal
Posts: 56605
172
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
To continue from what Winston said: in a high‑risk environment, avoid the keyword public until you find something won't work without. It is rather the converse of what Winston said: you can't remove it but you can always add it later.
 
Campbell Ritchie
Marshal
Posts: 56605
172
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Winston Gutkowski wrote: . . . Personally, I wish that Java had made them the default, . . .
You probably would nowadays, but twenty years ago the security hazards were so much less.
 
Winston Gutkowski
Bartender
Posts: 10575
66
Eclipse IDE Hibernate Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Campbell Ritchie wrote:You probably would nowadays, but twenty years ago the security hazards were so much less.

Actually, according to JB, people simply didn't understand them. He cites his own mistakes of not making BigInteger and BigDecimal final.

Winston
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!