Reliance on Package-level Scope

Incomplete Base

Structure: Simple

Description

Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.

Extended Description

The purpose of package scope is to prevent accidental access by other parts of a program. This is an ease-of-software-development feature but not a security feature.

Common Consequences 2

Scope: Confidentiality

Impact: Read Application Data

Any data in a Java package can be accessed outside of the Java framework if the package is distributed.

Scope: Integrity

Impact: Modify Application Data

The data in a Java class can be modified by anyone outside of the Java framework if the packages is distributed.

Potential Mitigations 1

Phase: Architecture and DesignImplementation

Data should be private static and final whenever possible. This will assure that your code is protected by instantiating early, preventing access and tampering.

Demonstrative Examples 1

The following example demonstrates the weakness.

Code Example:Bad
Java
java

References 1

The CLASP Application Security Process

Secure Software, Inc.

2005

https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf(2024-11-17)

ID: REF-18

Likelihood of Exploit

Medium

Applicable Platforms

Languages:

Java : Undetermined

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Improper Control of a Resource Through its Lifetime (CWE-664)

Taxonomy Mapping

CLASP
The CERT Oracle Secure Coding Standard for Java (2011)