Secure Java Code IQ Test

Even with advanced security architecture and built-in security features, Java isn't immune to security risks. Take this IQ test to see if you are aware of writing a more secure Java code.

Test Instructions: For each question, choose the single or multiple best answer(s). Make your choice by clicking on its button(s). There is no time limit, so you can change your answers at any time. When you click Done button, the IQ test report will appear in the next screen.

1.   Which line of the following code may have a security problem? 

1. class BadCode {
2.    int num;
3.    public int getNum() {
4.        return num;
5.    }
6.    public void setNum(int num) {
7.        this.num = num;
8.    }
9.    ...
10. }
A.    line 1
B.    line 2
C.    line 4
D.    line 7

2.    Assume Foo has been defined somewhere. Which code below has a security problem? 

1. class BadCode {
2.    private Foo foo;
3.    public BadCode (Foo f) {
4.        foo = f;
5.    }
6.    public BadCode() {}
7.    protected void useFoo() {
8.        int num = foo.num;
9.        String name = foo.name;
10.        .... 
11.   }
12.    ....
13. }
A.    line 2
B.    line 3
C.    line 4
D.    line 8

3.   Jack wants to design a fully protected class that is not extensible. Which line may have the problem with his initial intent? 

1. class MyPrivacy {
2.    private int key = 1234;
3.    //...
4.    protected void setKey(int privateKey) {
5.        this.key = privateKey;
6.    }
7.    protected int getKey() {
8.        return this.key;
9.    }
10.    //...
11. }

A.    line 1
B.    line 2
C.    line 4
D.    line 8

4.    Mike thought the following code would guarantee the private field key initialized by the parameterized constructor, so the set method is not neccessary. Is that true? 

class MyPrivacy {
    private int key = 1234;
    //...
    public MyPrivacy() {}
    public MyPrivacy(int k) {
        this.key = k;
    }
    protected int getKey() {
        return this.key;
    }
   
    //...
}
A.    True
B.    False

5.   Aaron doesn't want his class to be serialized in anyway, how to do that?
A.    Make his class final
B.    Make his class static
C.    Define a readObject() method in his class
D.    Define a writeObject() method in his class

6.   Jerry wants to compare two classes to see whether they are the same. He wrote a piece of code as follows. Is the code below OK? 

public boolean match(Object o) {
    return this.getName() == ((SomeClass)o).getName();
}
A.    The code is OK.
B.    The code is not OK.

7.   Betty wants to have a field that stores sensitive data like ID or SSN, which of the following data types is the best to choose?
A.    String
B.    StringBuffer
C.    char
D.    char array

8.   The following code is very commonly exampled, but there is a less secure issue. Which line of code is affected? Assume the Foo is a class defined somewhere. 

1. public class Test {
2.     private Foo foo = null;
3.     ....
4.     public void setFoo(Foo foo) {
5.         this.foo = foo;          
6.     }
7.     public Foo getFoo() {
8.         return foo;
9.     }
10.
11.    ....
12. }
A.    line 1
B.    line 2
C.    line 5
D.    line 8

Bug Report