|
Rule 10: Make Classes, Fields, Methods Private
Ensure your Java code is secure
by Adam Kolawa, Ph.D., Gina Assaf, and Roberto Scaramuzzi
Posted May 12, 2004
Editor's Note: Java Pro Online presents a weekly rule for ensuring the security of Java systems. Here are Rules 10 and 11 for beginning your strategy for ensuring your Java applications are secure. See the entire index of Java code security rules in this series.
This rule requires that all classes, fields, and methods are private unless there is a reason why they should not be private. If a class, field, or method is not private, hackers could use it as a potential entry point. If there is a good reason why a class, field, or method should not be private, it does not need to be private, but that reason should be clearly documented.
Bonus Rule 11
Make Classes, Fields, and Methods Final. This rule requires that all classes, fields, and methods be final unless there is a good reason why they should not be. If a class or method is not final, hackers could try to extend it in an unsafe way. If there is a good reason why a method or class should not be final, it does not need to be final, but that reason should be clearly documented.
If you follow all of these rules (posted weekly at Java Pro Online from March 10 – May 12 2004), your code will be protected from many common security attacks. However, these rules should be viewed as the beginning of a thorough security strategy, not as a security panacea. You need to anticipate and protect every possible security vulnerability because just one vulnerability can allow a skilled or lucky hacker to steal classified information or make your application unavailable. To ensure security, you need to learn how to identify and repair additional security vulnerabilities (see Resources).
Rules' sources:
"Twelve Rules for Developing More Secure Java Code" Gary McGraw and Edward Felten JavaWorld (December 1998). Secure Programming for Linux and Unix HOWTO David A. Wheeler
About the Authors
Adam Kolawa, Ph.D, is the chairman and CEO of Parasoft. He is a writer and speaker on industry issues and in 2001 was awarded the Los Angeles Ernst & Young Entrepreneur of the Year Award in the software category. Gina Assaf has been developing, designing, testing, and implementing applications in Java for over six years, and has researched and developed coding standards for Parasoft, many of which provide security for Java applications. Roberto Scaramuzzi, Ph.D., is a Java and Perl Developer for Parasoft in San Diego, California. Born in Italy, he later moved to the United States to obtain his doctorate in Mathematics from Yale University. Contact the authors at .
Back to top
|