Kingdom: Encapsulation

Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not.

Poor Style: Non-final Public Static Field

Abstract
Non-final public static fields can be changed by external classes.
Explanation
Typically, you do not want to provide external classes direct access to your object's member fields since a public field can be changed by any external class. Good object oriented designed uses encapsulation to prevent implementation details, such as member fields, from being exposed to other classes. Further, if the system assumes that this field cannot be changed, then malicious code might be able to adversely change the behavior of the system.

Example 1: In the following code, the field ERROR_CODE is declared as public and static, but not final:


public class MyClass
{
public static int ERROR_CODE = 100;
//...
}


In this case, malicious code might be able to change this error code and cause the program to behave in an unexpected manner.
References
[1] Sun Microsystems, Inc. Secure Coding Guidelines for the Java Programming Language, version 2.0
[2] OBJ10-J. Do not use public static nonfinal fields CERT
[3] MUTABLE-9: Make public static fields final Oracle
[4] Standards Mapping - Common Weakness Enumeration CWE ID 493
desc.structural.java.poor_style_non-final_public_static_field