Ask HN: "Java security exploit" vs "Python security exploit"

9 points by dragonbonheur ↗ HN
Google shows 2.51M results for "Java security exploit" versus 5.03M for "Python security exploit". Any thoughts about why so many news stories concentrate on Java's flaws compared to other languages? Is Python really more secure or better suited for enterprise development? Comments welcome.

10 comments

[ 3.4 ms ] story [ 32.3 ms ] thread
Google's count of results is both not accurate for any useful human understanding of the word "accurate" and also neither predictive of any fact about material reality nor reflective of any sort of Internet-wide sentiment. You'd get similarly useful results by seeding a random number generator with those search strings and examining the output.
I believe it is indicative of media exposure to incidents, kind of like seeing how many people are aware of a situation IRL to assess its cultural impact, if only in proportion. But that's just my opinion.
People focus on these because they are usually exploitable through applets; as such they pose a direct threat to users. The recent issues have been mostly irrelevant to "enterprise systems" since so few use Java's sandboxing, and it's typically easy and quick for developers to respond.

If Python was runnable in browsers and widely installed I suspect it would be treated differently in media.

So in a way despite its age, Java is still like the pioneer with all the arrows sticking out of its back.
Huh? I see Google report 31.8K results for ["Java security exploit"] and only 4 for ["Python security exploit"]. So in addition to any other problems with this as a rough estimator, removing some of the fuzziness of you unquoted queries gives a wildly different indication.

Separately, some of the worst Java bugs have been problematic and widely-exploitable not because of Java as a language, but Java as an applet/web-browser extension platform, which tries (and too often has failed) in running untrusted code in a safe manner.

Few other languages have even tried to fill that niche -- really only Javascript does, and it achieves what safety it provides by an even stricter lockdown of platform-capabilities.

Indeed I did not use quotes. The fact remains that the proportion remains higher for Python.

In a way it's sad that Javascript isn't implemented on top of an accessible bytecode interpreter (VM) that someone could write another translator for. I'd love it if browsers could be extended in Lua.

The "proportion" of what remains "higher", exactly?

Google only shows the first ~900 results; the 'about' count of results beyond that are very rough estimates.

To the extent such counts are indicative of anything at all, the exact-phrases will have stronger implications than the counts for fuzzier non-phrase queries. For example, your queries will also return pages that include the comment, "there are very few security exploits in Python".

The fact remains that search result numbers are completely useless for estimating the security of a language. Even more so without quotes.

* Search results show visibility on the web, nothing else.

* Without quotes, it may mean that more people talk about Python security than Java security. Or about writing exploits in Python, not for for Python.

* Java is extremely secure if it is run in the same place as Python, and not executing untrusted bytecode in a browser plugin. Nobody runs unknown Python code on their machines. Java vs. Flash. vs. Javascript makes more sense as a comparison, because all three are used for executing untrusted code.

In other news, I get 1M search results for "bieber security exploit" and 27M for "google security exploit" without quotes. But I don't think Justin Bieber or Google have more security issues than Java browser plugins.

A google search like that could also include security exploits using python etc. And even google has started putting less importance to the count. It basically means nothing.
As others have pointed out, trying to deduce anything about the security of Java or Python from the number of Google hits is pointless.

Which of the two systems is "more secure" is rather vague and certainly hard to answer. You might be able to get a better approximation by comparing the number of CVEs relating to each one in a given time frame. But you'll probably want to categorize CVEs by their level of severity or even weight them by their relevancy for the particular application you have in mind. For example, Python does not even try to provide a safe sandbox for web applets while Java does, so the current problem does not even have a meaningful equivalent in the Python world.

My armchair guess is that neither of the two will have a completely terrible track record compared to the other one, and so picking either one should be fine from the point of view of security. In any case you'll have to respond to eventual problems in a timely manner.