What makes Java secure than C++?
.net - Why Java is secure compared with other programming languages? - Stack Overflow
security - Why is Java labeled as a "secure" language? - Stack Overflow
C++ or Java for a career in Information Security - Information Security Stack Exchange
There are many reasons why Java is a safe language, and it's definitely safer than some languages, but I think it's a stretch to say that it's safer than all other languages.
Java has a variety of safety features in place:
Automatic null-checking of references, bounds-checking of arrays, verification of casts, etc. to prevent the program from making type errors. Compare this to C or C++, where these same errors (with a few exceptions) cause undefined behavior.
Verification of bytecode prior to execution. This makes it impossible for the program to jump to an undefined instruction, or to try to perform an operation on a nonexistent object, or to make a type error at the instruction level, etc. Compare this to C or assembly, where the program can jump to bad instructions, or try reading nonexistent parameters to functions (think
va_args), etc.)Runtime security checks when loading in new code. The use of
SecurityManagerandClassLoadermake it easy for the Java runtime to prevent arbitrary code from executing on the computer by mediating access to system resources and preventing the program from loading or generating arbitrary code at runtime. Compare this to C or C++, which can read and write arbitrary values, issue arbitrary system calls, generate and execute arbitrary code, etc.Library-level safety of certain features. For example,
Stringis immutable andfinal, so a function that receives aStringcan verify the string and not have to worry about another thread changing its value.
This isn't a complete list of Java's safety features, but it should give you a sense of some of the design considerations in Java that are not present in other languages.
Hope this helps!
You mention you read some where but can you please re-read it because I guess when it was written the author would be comparing the JAVA with C++ / Fortran / C etc.
Also there is an old post you can read about the testability of security in http://www.veracode.com/blog/2010/06/which-tastes-better-for-security-java-or-net/
you can see both are same almost....
IMHO, that's a very misleading statement. In Java, you cannot access out-of-bound arrays, and you don't have pointers, and thus several security flaws like stack corruption or buffer overflow is impossible to exploit in Java. But Java is not inherently more secure than any other language; it's just there is less chance to make mistakes that can cause security flaws. In effect, this reduces security flaws, but it's totally misleading to say Java is secure.
There are two things that make Java "more secure" than other language in certain aspects:
- Automatic array bounds checking and the lack of manual memory management make certain classes of programming mistakes that often cause serious security holes (such as buffer overruns) impossible. Most other modern languages share this feature, but C and C++, which were dominant (and still are major) application development languages at the time Java first appeared, do not.
- The Security Manager concept makes it relatively easy to run Java applications in a "sandbox" that prevents them from doing any harm to the system they are running on. This played an important part in promoting Java during its early days, since Applets were envisioned as a ubiquitous, safe way to have client-side web applications.
Don't choose; learn both.
If you want to make a career which involves programming (and most careers in information security do that), then you must learn programming, not programming languages. If you concentrate on a single language then you will be a very poor programmer, and your career will fail.
Programming is a state of the mind; languages are distractions.
Information security is a broad field. Depending on the branch you want to specialize you might find useful to learn C, C++, Java, python, shellscripting or neither. About the two you have mention:
- C++ will give you a lot of knowledge about how memory should be managed, and how to build secure code with these assumptions.
- Java will give you a lot of knowledge about how a virtual machine works and how to build secure code with these assumptions.
- Others will tell you that once you know how to program, selecting a language program is about knowing some small details.
Consider that even after mastering the two of them you will learn nothing about communications, cryptography, secret management... Securing is not about programming languages. Securing (well, a big simplification) is about information and how is it treated, stored, shared and by whom (confidentiality, availability, integrity and non-repudio).
But if you want a closer tech security approach...
I learnt a lot about security getting into the Debian (linux) world, I really believe that getting inside the linux administration world will give you big notions about security and security design. Then learning basic cryptography and how communications works will give you the rest. After you have managed all these concepts (and believe me, that is a lot to say) you will need to take into consideration thousands of regulations and security standards.
Is an arduous path, but it is a nice one =)
[Edit] Addendum: I belive the better place to learn about the topics you want is a forum, any hacking forum will do for a beginner level... You eventually will meet people and will find sources of information as you continue learning.
First, the security issues are more a question of the implementation, rather than the language. Java does impose some security checks (bounds checking, etc.) that are optional (and very expensive in runtime) in C++. With regards to your specific issues:
I presume this refers to the classical buffer overrun issue, which often was a problem in C. In C++, we use
std::vector, which can (and usually does, at least when the correct compiler options are given) do the same checks as Java. If, on the other hand, it does refer to stack overflow (e.g. as a result of too deep recursion), then because the stack of the JVM is not the machine stack, Java can do extra checks, and also guarantee an out of memory exception in the case of stack overflow. (This is also possible in C++, but I don't know of a compiler which does it. And the operating systems don't always make it that easy.)This is an OS issue, not a language issue. Modern OS's doesn't allow programs to access memory outside their own process space, so neither Java nor C++ allow it.
As above, this is an OS issue, not a language issue, and modern OS's enforce it relatively well, regardless of whether the program is written in Java or in C++.
In summary, both 2 and 3 are impossible, regardless of the language, and 1 won't occur in well written C++ (although it was a problem in the past with C).
Java is a reasonably secure language because of a few reasons, focusing mostly on your 3 points, Java is more secure than other languages, predominantly because it executes bytecode instructions in its own virtual machine, not native code. It does not allow out of bounds array access, and has no pointer access. This pretty much answers your first 2 points. As for reading and writing without permission I am not sure what you mean by that. Inherently file reading and writing is controlled at an operating system level. Without some exploit to gain more permission than it should, no matter what language it is written in, a program cannot write or read to files the OS prohibits it from. If you mean without permission from an application standpoint, from say a plugin system, then you would need to look into adding a security manager or your own vetting to prevent plugins or modules from altering files under your applications process.
Is there any specific programming language to build highly secure and reliable software or does every programming language works the same and it depends on how we code?