The CERT Oracle Secure Coding Standard for Java (2011) Chapter 16 - Platform Security (SEC)

The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a...

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that ...

The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.

The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses ...

The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes ...

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" pu...