From the course: Secure Coding in Java
Unlock the full course today
Join today to access over 22,500 courses taught by industry experts or purchase this course individually.
Serialization
- Serialization is a much criticized feature of Java, mainly because it's attack prone. Let's finish up this course, talking a bit about serialization in Java and ways to mitigate the risk. First of all we need to talk about, what is it? Serialization is a mechanism for class data access as well as construction that lies outside our normal getters and setters, as well as our normal construction routines. It bypasses all field level access controls. And this is by design because usually we don't want those to get in the way when we're de-serializing data as it's coming in. Now, the bad part about this is that because we're bypassing access controls, input can be injected maliciously into our serialized data classes. The bad part about all of this is that we can't actually avoid serialization in most applications. Many web applications, for instance, required de-serialization as the data comes in, and serialization as…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.