This well-articulated book serves as a companion to The CERT Oracle secure coding standard for Java [1]. Presently, there is an urgency to both recognize and address vulnerabilities that stem from coding practices, and unfortunately they are seldom taken into account. This book provides 75 recommendations, applicable to various scenarios that would assist in developing production code devoid of common fatal and unintentional security vulnerabilities.

The content of this book clearly demonstrates the skill set of the authors in the security domain. There are five chapters, and the content under each of these classifications is not mutually exclusive. The authors keep a consistent narrative, where each coding best practice corresponding to the recommendation adheres to the discipline of providing an introduction to the scenario. This scenario introduction is then followed by a code snippet that realizes the scenario, but is fraught with gotchas and caveats. The coding snippet is subsequently critiqued and followed by an exemplary code snippet that showcases the correct way to code, while circumventing programming-related security vulnerabilities.

Chapter 1, “Security,” provides 21 recommendations that range from strategies describing safeguards against lightweight directory access protocol (LDAP), XPath, and code injection, to other more common scenarios to watch against, including cloning and object’s equals functionality. There are also some seemingly obvious recommendations, such as ”prevent arbitrary file upload” and “do not use insecure encryption algorithms.”

In chapter 2, “Defensive Programming,” the authors deal with an art too easily lost by the wayside by astute developers sprinting toward project deadlines. This chapter accentuates the many different facets presented in the book and I think it will be one of the best received. The sections on scope variable minimization and numeric behavior promotion are very interesting. Recommending that constants not be declared public final might seem a little out of place in this chapter.

Chapter 3 delivers recommendations addressing reliability. It provides good advice such as using the same type for the second and third operands, and runtime error detection without assertions. Some recommendations in this chapter seem more geared toward performance, such as the use of exceptions for exception handling and the removal of short-lived objects from long-running containers.

In chapter 4, the authors offer many good suggestions pertaining to code readability, which could assist in preventing the creation of security loopholes in the product. The 15 or so recommendations are valuable, and some of them--for example, “use braces for the body of an if, for, or while statement”--are pieces of wisdom we have encountered in many other computer programming texts. This chapter may not appeal to those highly skilled programmers who have a penchant for writing terse and convoluted compound syntactic structures.

Chapter 5, “Programmer Misconceptions,” is very informative, even for those who just want to appreciate the nuances of the Java language. The manner in which thread safety, sleep/yield, and volatile references are mentioned makes it very palatable for every level of programmer.

I would recommend adding this book to one’s arsenal alongside Effective Java [2]. The book is equally targeted at computer programming professionals who need to use it as a reference, as well as students of computer science. The structure of narration and the modularization of recommendations eases traversal across various advisories and allows for the quicker assimilation of information.