Skip to main content




The SEI CERT® Oracle® Secure Coding Standard for Java™ provides rules designed to eliminate insecure coding practices that can lead to exploitable vulnerabilities. This standard, published in 2011, covers security issues.


IDS00-J. Prevent SQL injection
169. Use parameterized queries
173. Discard unsafe inputs
IDS01-J. Normalize strings before validating them
172. Encrypt connection strings
IDS03-J. Do not log unsanitized user input
080. Prevent log modification
IDS06-J. Exclude unsanitized user input from format strings
083. Avoid logging sensitive data
IDS14-J. Do not trust the contents of hidden form fields
030. Avoid object reutilization
032. Avoid session ID leakages
181. Transmit data using secure protocols
IDS16-J. Prevent XML injection
173. Discard unsafe inputs
342. Validate request parameters
IDS17-J. Prevent XML External Entity attacks
324. Control redirects
NUM00-J. Detect or prevent integer overflow
345. Establish protections against overflows
OBJ10-J. Do not use public static nonfinal fields
227. Display access notification
MET02-J. Do not use deprecated or obsolete classes or methods
325. Protect WSDL files
MET03-J. Methods that perform a security check must be declared private or final
158. Use a secure programming language
ERR01-J. Do not allow exceptions to expose sensitive information
359. Avoid using generic exceptions
LCK11-J. Avoid client-side locking when using classes that do not commit to their locking strategy
026. Encrypt client-side session information
320. Avoid client-side control enforcement
TSM00-J. Do not override thread-safe methods with methods that are not thread-safe
337. Make critical logic flows thread safe
TSM02-J. Do not use background threads during class initialization
346. Use initialization vectors once
FIO00-J. Do not operate on files in shared directories
046. Manage the integrity of critical files
280. Restrict service root directory
FIO01-J. Create files with appropriate access permissions
186. Use the principle of least privilege
341. Use the principle of deny by default
FIO03-J. Remove temporary files before termination
036. Do not deploy temporary files
177. Avoid caching and temporary files
FIO13-J. Do not log sensitive information outside a trust boundary
083. Avoid logging sensitive data
FIO14-J. Perform proper cleanup at program termination
183. Delete sensitive data securely
SER02-J. Sign then seal objects before sending them outside a trust boundary
151. Separate keys for encryption and signatures
178. Use digital signatures
SER12-J. Prevent deserialization of untrusted data
321. Avoid deserializing untrusted data
SEC04-J. Protect sensitive operations with security manager checks
378. Use of log management system
380. Define a password management tool
ENV02-J. Do not trust the values of environment variables
159. Obfuscate code
ENV06-J. Production code must not contain debugging entry points
078. Disable debugging events
MSC00-J. Use SSLSocket rather than Socket for secure data exchange
181. Transmit data using secure protocols
MSC02-J. Generate strong random numbers
223. Uniform distribution in random numbers
MSC04-J. Do not leak memory
164. Use optimized structures
MSC11-J. Do not let session information leak within a servlet
026. Encrypt client-side session information
DRD19-J. Properly verify server certificate on SSL/TLS
336. Disable insecure TLS versions
DRD15-J. Consider privacy concerns when using Geolocation API
213. Allow geographic location
STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator
044. Define an explicit charset
free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.