| Critical Question | Reasons Causing Vulnerabilities | Suggested Solutions |
| Q.1 | Classes are public | The product should make all classes package-private, since they are in the same package (M3Application) and not served as an API or interface for external classes. |
| Q.1 | Methods are public | This implementation is not appropriate. Methods in the product should obtain at least default access modifier privilege. Most of them should be in private access modifier privilege, since they are used internally. |
| Q.1 | Variables are public | Variables should limit the accessibility. In this product, most variable should be in private access modifier privilege. |
| Q.2 | Resource is not proper closed | This product should use try-with-resources statement to ensure each resource is closed at the end of the statement. |
| Q.2 | More than one resource operations in the try-catch-finally block | Since several exceptions may be thrown, some exceptions will be masked. |
| Q.5 | Static variables | Since other classes in the same scope may be able to access and modify a static variable, this variable should better be claimed as final static. |
| Q.9 | Inner class | Since there are some security issues related to inner class. It is better to move inner classes to outer classes. |
| Q.12 | Sensitive information | Use Java security APIs to handle sensitive information. |