[2022 javaone] Secure Coding Guidelines for Java SE

Speaker: Chris Ries

For more see theĀ table of contents

Vulnerabilities and Secure Coding

  • “A flaw or weakness … that could be exploited to violated the system’s security policy” RFC 4949
  • Cost – remediation, immediate response (mitigation, detection, incident response, intermediate state while fix), reputation effect

Lifecycle

  • Design – Threat modeling, misuse cases
  • Implementation – , code review, static analysis
  • Integration/test – , dependency checkers, static analysis, runtime testing
  • Deployment/release (ex: missing third party patches) – vulnerability scanning, monitoring (ex: web application firewalls), dependency patching, vulnerability remediation

Resources

Scope of Oracle’s doc

  • General secure coding guidelines
  • Unique/especially relevant to Java
  • Not a comprehensive guide
  • Software security not security software
  • Read once and then use as a reference
  • Each section has a name and each item has a numbered key

Privileges and trust boundaries

  • FUNDAMENTALS-3 – Restrict privileges – app level isolation, separate services, lower level mechanisms (ex: containers, OS level restrictions)
  • FUNDAMENTALS-4 – Establish trust boundaries – identify interactions with untrusted datacode/users, apply security mechanisms, reduce attack surface

Secure third party code

  • FUNDAMENTALS-8 – Secure third-party code
  • Patching – apply patches, watch out for bundled/renamed code (shading), leverage automated tools
  • Best practices – understand model of libraries/frameworks, review config options
  • Tracking – check for updates/support, periodically review security “state of the art”

Denial of Service

  • DOS-4 – Robust errors/exception handling for services
  • Newest one
  • Exception causes – malformed input, logic errors, misconfiguration, environment failures, etc
  • can handle or propagate
  • Apps/libs may want to propagate. Long running systems may need to do more.
  • Define policy for when errors/exceptions reach bottom of call stack – ok to have general catch. Could discard current work, log/cleanup and continue. Rare to have to exit and restart

Injection and inclusion

  • Covers more common vulnerabilities – ex: SQL injection, XML processing
  • Prefer trusted library rather than rolling your own.

Input Validation

  • INPUT-1 – Validate inputs – avoid using untrusted input or validate. Validate early to avoid exposure. Validate immediately prior to use
  • INPUT-4 – Verify API behavior related to input validation – very thru docs/testing. Use created/returned object vs original input. Do additional validation as needed

Deserialization

  • Avoid deserializing untrusted data if at all possible
  • SERIAL-6 – Filter untrusted serial data
  • jdk.serialFilter – can specify class/packages with default deny.
  • Can set resource limits.
  • Alternatively, can setObjectInputFilter() on ObjectInputStream instance

Log4Shell

  • JNDI injection vulnerability
  • Untrusted lookup -> malicious server -> info disclosure, denial of service/remote code execution
  • INJECT-8 – Avoid JNDI lookups using untrusted data or follow measures in guidance
  • FUNDAMENTALS-3 – Restrict privileges. Minimize impact of compromises from zero days
  • FUNDAMENTALS-8 – Secure 3rd party code – Log4J often bundled/renamed, challenge to find vulnerable instances
  • FUNDAMENTALS-4 – Establish trust boundaries – where does untrusted data enter, what APIs does it reach
  • INPUT-1 – Validate inputs – avoid untrusted data or escape/encode/filter. Potentially useful for logged data

My take

This session was during the networking event and the live band was clearly audible. The walls were good as the noise went up greatly when the door opened. Still, I wish sessions weren’t at the same time. Props to the speaker for ignoring the band and the AV guy for managing the speaker

We got to the Oracle Secure Coding Guidelines at minute 15. I thought the whole session would be about this so was surprised there was so much intro. I tried reading the guide last year. Some parts are a tough read so it was nice to see a presentation. And I got to learn about setting filters on ObjectInputStream. The tie to Log4Shell was nice.

Leave a Reply

Your email address will not be published. Required fields are marked *