Standards suggested for writing secure Java

Industry group issues “essentials” for developing safe code

A group of secure-programming experts plans a series of documents that outline the skills coders need to write Web applications that are better able to withstand attacks.

The first of these is being made public Tuesday and sets down what the Secure Programming Council believes are essential capabilities these programmers must have to write Java and JavaEE code that is free of flaws that hackers might exploit.

While schools and other groups offer courses that teach secure coding, the curriculums are designed in isolation based on instructors’ best efforts, says Alan Paller, director of research for the SANS Institute, the information security training and research organization. They don’t adhere to industry standards for what they ought to include, he says.

The series of documents from Secure Programming Council hopes to address this shortcoming by drawing on existing texts and input from secure-coding trainers as well as businesses that are making similar efforts for their in-house programmers, Paller says. “It’s a common body of what people need to know, benchmarks for employers and teachers,” he says.

The group hopes that teachers will adjust their syllabuses to incorporate the recommendations, he says.

The council is issuing Essential Skills for Secure Programmers Using Java/ JavaEE now, and plans follow-ups for other languages including C, C++, and .Net languages as well as Perl and PHP. The Java paper is open for public comment until Dec. 1 at spa@sans.org.

While secure-programming can help, it’s not enough, Paller notes. In addition to training, programmers need tools that assist in writing safe code and automatically test the code for vulnerabilities once it is written.

Ryan Berg, a member of the Secure Programming Council steering committee on Java and JavaEE and chief scientist at Ounce Labs, says guidelines are sorely needed. “Programmers don’t have a place to go to find out, ‘What do I need to know in order to write secure code,?’” Berg says. Ounce Labs makes software that reads other software to look for weaknesses.

He says that each programming language has its own characteristics and weaknesses that developers using it need to know if they want to keep it safe from attacks. “Programmers need to understand the languages and the facilities provided by the languages to promote sound software design,” Berg says.

The document on Java and JavaEE hits seven areas of coding: data handling, authentication and session management; access control, Java types and virtual machine management; application faults and logging, encryption services, and secure architecture and coding principles.

The Secure Programming Council is made up of more than 40 organizations including Booz Allen & Hamilton, Ounce Labs, Deloitte and Touche, Kaiser Permanente, Firsthand Technologies, OWASP, Morgan Stanley, Tata Consulting, Neohapsis, Watchfire, Fortifyi, Amazon.com, and Stach & Liu.

Learn more about this topic

Security pros push for secure code

Think like an attacker

SANS to test programmers' security sense

This story, "Standards suggested for writing secure Java " was originally published by Network World.