Return to site

JAVA CERTIFICATION QUESTION: Secure coding and serialization

· java,ocp

Which of the following isn't a guideline about secure serialization and deserialization?

* Avoid serialization for security-sensitive classes

* Guard sensitive data during serialization

* View deserialization the same as object construction

* Enforce security checks in deserialization, not in serialization

* Filter untrusted serial data

* None of the above

#java #certificationquestion #ocp

 

'Enforce security checks in deserialization, not in serialization' is the wrong answer.

It is not among the guidelines about serialization and deserialization in the Secure Coding Guidelines for Java SE.

As a reminder, here are the Secure Coding Guidelines:

* Avoid serialization for security-sensitive classes

* Guard sensitive data during serialization (do not serialize sensitive data in a serializable class)

* View deserialization the same as object construction(Perform the same input validation checks as those performed in a constructor)

* Duplicate the SecurityManager checks enforced in a class during serialization AND deserialization(if a serializable class performs a security-related check in its constructors, then perform that same check)

* Understand the security permissions given to serialization and deserialization

* Filter untrusted serial data