Russell Bateman
February 2014
last update:
Noted from an article by Vlad Mihalcea.
Items and categories from these references:
The elements in this check-list are categorized.
| Use intention-revealing names | Meaningful Names |
| Pick one word per concept | Meaningful Names |
| Use Solution/Problem Domain Names | Meaningful Names |
| Classes should be small | Classes |
| Methods should be small | Functions |
| Do one thing | Functions |
| Don't repeat yourself (avoid duplication) | Functions |
| Explain yourself in code | Comments |
| Make sure the code formatting is applied | Formatting |
| Use exceptions rather than return codes | Exceptions |
| Don't return null | Exceptions |
| Make class final if not being used for inheritance | Fundamentals |
| Avoid duplication of code | Fundamentals |
| Restrict privileges: Application to run with the least privilege mode required for functioning | Fundamentals |
| Minimize the accessibility of classes and members | Fundamentals |
| Document security related information | Fundamentals |
| Input into a system should be checked for valid data size and range | Denial of Service |
| Avoid excessive logs for unusual behavior | Denial of Service |
| Release resources (Streams, Connections, etc) in all cases | Denial of Service |
| Purge sensitive information from exceptions (exposing file path, internals of the system, configuration) | Confidential Information |
| Do not log highly sensitive information | Confidential Information |
| Consider purging highly sensitive from memory after use | Confidential Information |
| Avoid dynamic SQL, use prepared statement | Injection Inclusion |
| Limit the accessibility of packages,classes, interfaces, methods, and fields | Accessibility Extensibility |
| Limit the extensibility of classes and methods (by making it final) | Accessibility Extensibility |
| Validate inputs (for valid data, size, range, boundary conditions, etc) | Input Validation |
| Validate output from untrusted objects as input | Input Validation |
| Define wrappers around native methods (not declare a native method public) | Input Validation |
| Treat output from untrusted object as input | Mutability |
| Make public static fields final (to avoid caller changing the value) | Mutability |
| Avoid exposing constructors of sensitive classes | Object Construction |
| Avoid serialization for security-sensitive classes | Serialization Deserialization |
| Guard sensitive data during serialization | Serialization Deserialization |
| Be careful caching results of potentially privileged operations | Serialization Deserialization |
| Only use JNI when necessary | Access Control |
| Avoid excessive synchronization | Concurrency |
| Keep Synchronized Sections Small | Concurrency |
| Beware the performance of string concatenation | General Programming |
| Avoid creating unnecessary objects | Creating and Destroying Objects |
| Use checked exceptions for recoverable conditions and runtime exceptions for programming errors | Exceptions |
| Favor the use of standard exceptions | Exceptions |
| Don't ignore exceptions | Exceptions |
| Check parameters for validity | Methods |
| Return empty arrays or collections, not nulls | Methods |
| Minimize the accessibility of classes and members | Classes and Interfaces |
| In public classes, use accessor methods, not public fields | Classes and Interfaces |
| Minimize the scope of local variables | General Programming |
| Refer to objects by their interfaces | General Programming |
| Adhere to generally accepted naming conventions | General Programming |
| Avoid finalizers | Creating and Destroying Objects |
| Always override hashCode when you override equals | General Programming |
| Always override toString | General Programming |
| Use enums instead of int constants | Enums and Annotations |
| Use marker interfaces to define types | Enums and Annotations |
| Synchronize access to shared mutable data | Concurrency |
| Prefer executors to tasks and threads | Concurrency |
| Document thread safety | Concurrency |
| Valid JUnit/JBehave test cases exist | Testing |