Ask HN: "Java security exploit" vs "Python security exploit"
Google shows 2.51M results for "Java security exploit" versus 5.03M for "Python security exploit".
Any thoughts about why so many news stories concentrate on Java's flaws compared to other languages? Is Python really more secure or better suited for enterprise development? Comments welcome.
10 comments
[ 3.4 ms ] story [ 32.3 ms ] threadIf Python was runnable in browsers and widely installed I suspect it would be treated differently in media.
Separately, some of the worst Java bugs have been problematic and widely-exploitable not because of Java as a language, but Java as an applet/web-browser extension platform, which tries (and too often has failed) in running untrusted code in a safe manner.
Few other languages have even tried to fill that niche -- really only Javascript does, and it achieves what safety it provides by an even stricter lockdown of platform-capabilities.
In a way it's sad that Javascript isn't implemented on top of an accessible bytecode interpreter (VM) that someone could write another translator for. I'd love it if browsers could be extended in Lua.
Google only shows the first ~900 results; the 'about' count of results beyond that are very rough estimates.
To the extent such counts are indicative of anything at all, the exact-phrases will have stronger implications than the counts for fuzzier non-phrase queries. For example, your queries will also return pages that include the comment, "there are very few security exploits in Python".
* Search results show visibility on the web, nothing else.
* Without quotes, it may mean that more people talk about Python security than Java security. Or about writing exploits in Python, not for for Python.
* Java is extremely secure if it is run in the same place as Python, and not executing untrusted bytecode in a browser plugin. Nobody runs unknown Python code on their machines. Java vs. Flash. vs. Javascript makes more sense as a comparison, because all three are used for executing untrusted code.
In other news, I get 1M search results for "bieber security exploit" and 27M for "google security exploit" without quotes. But I don't think Justin Bieber or Google have more security issues than Java browser plugins.
Which of the two systems is "more secure" is rather vague and certainly hard to answer. You might be able to get a better approximation by comparing the number of CVEs relating to each one in a given time frame. But you'll probably want to categorize CVEs by their level of severity or even weight them by their relevancy for the particular application you have in mind. For example, Python does not even try to provide a safe sandbox for web applets while Java does, so the current problem does not even have a meaningful equivalent in the Python world.
My armchair guess is that neither of the two will have a completely terrible track record compared to the other one, and so picking either one should be fine from the point of view of security. In any case you'll have to respond to eventual problems in a timely manner.