Secure Coding Exam Objectives
There are nine stated subjects in the document which this exam objective covers. The topics are summarized here
Secure Coding Objectives
From the Oracle website.
1. Denial of Service
Input into a system should be checked so that it will not cause excessive resource consumption disproportionate to that used to request the service. Common affected resources are CPU cycles, memory, disk space, and file descriptors.
In rare cases it may not be practical to ensure that the input is reasonable.
It may be necessary to carefully combine the resource checking with the logic of processing the data. In addition to attacks that cause excessive resource consumption, attacks that result in persistent DoS, such as wasting significant disk space, need be defended against.
Server systems should be especially robust against external attacks.
2. Confidential Information:
Confidential data should be protected at all costs. it should only be readable in a very limited scope and by a limited authorized audience.
3. Injection and Inclusion:
Prevent malicious attacks beginning with this simple text input, which could cause an anticipated changes of control in an application process or produce unwitting exposure of data.
4. Accessibility and Extensibility:
Protect application code by reducing the attack surface, limiting what is exposed with stricter access privileges and preventing code from being extended.
5. Input Validation:
Validate external inputs using various techniques such as 1) method parameter checking, 2) validating returned values from untrusted code, and limiting access to native code.
6. Mutability:
Preventing mutations of objects from external actors.
A mutating object can create a lot of security problems and provide opportunities for malicious actors to hijack the data or behavior.
7. Object Construction:
limit exposure to the construction process of objects.
In the process of construction, an object exists, but it is not quite ready for use, which can lead to unexpected issues
8. Serialization and Deserialization:
Identify the most risky areas to use serialization and discuss the pitfalls of deserialization, remembering that these processes sidestep the field access control mechanisms.
9. Access (This is not an exam objective)
Use and understand the SecurityManager to perform security checks and to elevator restrict permissions of code.
Three Categories
These 9 objectives will be split into 3 categories.
Category 1
1. Protecting the application code which will include the topics:
- Preventing denial of service
- limiting Accessibility and extensibility
Category 2
2. Ensuring data integrity which will include:
- validation of inputs
- Reduce use of, and limit access to mutable objects
- Secure and confidential information
- Preventing injections and inclusion
Category 3
3. Protecting object construction including the following topics:
- Securing construction sensitive objects
- Limiting or eliminating serialization and deserialization