Skip to main content
assistive.skiplink.to.breadcrumbs
assistive.skiplink.to.header.menu
assistive.skiplink.to.action.menu
assistive.skiplink.to.quick.search
Log in
Confluence
Spaces
Hit enter to search
Help
Online Help
Keyboard Shortcuts
Feed Builder
What’s new
Available Gadgets
About Confluence
Log in
SEI CERT Oracle Coding Standard for Java
Pages
Boards
Space shortcuts
Dashboard
Secure Coding Home
Android
C
C++
Java
Perl
Page tree
Browse pages
Configure
Space tools
View Page
A
t
tachments (0)
Page History
Page Information
View in Hierarchy
View Source
Export to PDF
Export to Word
Pages
…
SEI CERT Oracle Coding Standard for Java
2 Rules
Rule 14. Serialization (SER)
Page Information
Title:
Rule 14. Serialization (SER)
Author:
Dhruv Mohindra
Feb 20, 2009
Last Changed by:
David Svoboda
Mar 15, 2022
Tiny Link:
(useful for email)
https://wiki.sei.cmu.edu/confluence/x/azdGBQ
Export As:
Word
·
PDF
Incoming Links
SEI CERT Oracle Coding Standard for Java (8)
Page:
SER05-J. Do not serialize instances of inner classes
Page:
FIO16-J. Canonicalize path names before validating them
Page:
SER02-J. Sign then seal objects before sending them outside a trust boundary
Page:
SER04-J. Do not allow serialization and deserialization to bypass the security manager
Page:
SER11-J. Prevent overwriting of externalizable objects
Page:
SER09-J. Do not invoke overridable methods from the readObject() method
Page:
SER03-J. Do not serialize unencrypted sensitive data
Page:
SER00-J. Enable serialization compatibility during class evolution
Hierarchy
Parent Page
Page:
2 Rules
Children (14)
Page:
SER00-J. Enable serialization compatibility during class evolution
Page:
SER01-J. Do not deviate from the proper signatures of serialization methods
Page:
SER02-J. Sign then seal objects before sending them outside a trust boundary
Page:
SER03-J. Do not serialize unencrypted sensitive data
Page:
SER04-J. Do not allow serialization and deserialization to bypass the security manager
Page:
SER05-J. Do not serialize instances of inner classes
Page:
SER06-J. Make defensive copies of private mutable components during deserialization
Page:
SER07-J. Do not use the default serialized form for classes with implementation-defined invariants
Page:
SER08-J. Minimize privileges before deserializing from a privileged context
Page:
SER09-J. Do not invoke overridable methods from the readObject() method
Show all...
Page:
SER10-J. Avoid memory and resource leaks during serialization
Page:
SER11-J. Prevent overwriting of externalizable objects
Page:
SER12-J. Prevent deserialization of untrusted data
Page:
SER13-J. Deserialization methods should not perform potentially dangerous operations
Hide...
Labels
Global Labels (3)
ser
rule-list
section
Recent Changes
Time
Editor
Mar 15, 2022 09:46
David Svoboda
View Changes
Mar 11, 2020 12:55
David Svoboda
View Changes
Nov 21, 2018 14:11
Derek Leung
View Changes
Nov 20, 2018 14:34
Derek Leung
View Changes
Nov 20, 2018 13:50
Derek Leung
View Page History
Outgoing Links
External Links (3)
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?p…
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?p…
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?p…
SEI CERT Oracle Coding Standard for Java (1)
Home page:
SEI CERT Oracle Coding Standard for Java
Overview
Content Tools
{"serverDuration": 90, "requestCorrelationId": "f64b81b8c5191d7b"}