The Cert Oracle Secure Coding Standard For Java Book Review
First look at the Book Cert Oracle Secure Coding Standard For Java
I'm a java developer with over 2 years of experience. I've been always on the search to learn more about java and understand the techniques to produce production quality code that wont break. As a java enthusiast, on weekends and during free hours, I regularly try out sample applications on several platforms like Google app engine, AWS and put my hands on different technologies like Struts, Spring, Hibernate etc. When coding is what you do daily, you should constantly be on the hunt for ways to code faster, smarter and make your product resilient. On first look, the fact that CERT ( Computer Emergency Response Team ) has taken up the task of writing this book is what attracted me because they are the specialists worldwide when it comes to security.
An invaluable book by CERT on how to code in java safely. A complete guide to understand validation, sanitation and DoS prevention coding techniques exclusively runnable on java.
Who should buy this book?
Have you been into Java development for over a few month now. Do you wonder how and where exactly you should apply security measures in your code like data validation, sanitization, canonicalization and normalization ? Well then this book says just that. I've spent countless hours on reading theories about how could you do these stuffs and when I start coding I have no idea how am I suppose to code in way that I block Denial of Service attacks. I never knew I could until I got my hands on this book.
Who should not buy this book!
Honestly, if you are new to java and haven't written written something more than a hello world, I wouldn't suggest this book for you. For you, the better move is to understand the plain java in more depth and try to become an Oracle Certified Java Professional and come back for this book.
Java is Secure by Birth Why Should I again Care About Security ?
Most of us might have heard as Java as a very secure language. But it was when I read this book that I read "Java was designed to allow the execution of untrusted code" and realized its true. Whenever I need a new functiaonality not available in native java I search for its libraries and include the jar files or update my pom.xml without thinking twice. How trustworthy these libraries could be? Even if most people wont include coding flaws intentionally, it could happen by mistake and unawareness. It's big pain-point of non-profit open-source coding.
An experience of getting my site hacked.
It was over a year back in 2011 when I was learning php, I decided to make a wiki based product using the MediaWiki framework. I brought the hosting space, domain and installed MediaWiki framework (free) in my domain tweaked some code for my my product and voila! Week 1 : I got up and running. I asked few of my friends to be members on it and they did. I left it for 2 months to pursue my job hunt. When I came back, it was mayhem. My site has be hijacked and had spam ads and redirection links to 3rd party scam sites. The changes in my site affected the hosted server and all other sites hosted on it. Finally, I had to take it down and lost all the visitors who had started to become familiar with it.
Bottomline : It's wrong if you think you don't have to be aware of secure coding until you are software security professional. Every normal developer should know it. You never need a hacker sitting around and monitoring your site to hijack it (That happened in the 1990's). There are zillions of automated bots that crawl and exploit your product's security flaws and hijack your sites without any human intervention. You need to proactively take security measures to prevent such attacks.