Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type

Topics

Publication Date

Podcast

Is Java More Secure Than C?

  • February 2016
  • By David Svoboda3345
  • In this podcast, CERT researcher David Svoboda analyzes secure coding rules for both C and Java to determine if they indeed refute the conventional wisdom that Java is more secure than C.
  • Secure Coding
  • Publisher: Software Engineering Institute
  • If your program does not require escalated privileges, if you are not working with unprivileged code, you have less high-severity Java rules to worry about than C rules.
  • Watch

  • Listen

    Loading Podcast.....
  • Related

    SEI Blog post, Is Java More Secure than C?

  • Abstract

    Whether Java is more secure than C is a simple question to ask, but a hard question to answer well. When researchers on the CERT Secure Coding Team began writing the SEI CERT Oracle Coding Standard for Java, they thought that Java would require fewer secure coding rules than the SEI CERT C Coding Standard because Java was designed with security in mind. They also assumed that a more secure language would need fewer rules than a less secure one. However, Java has 168 coding rules compared to just 116 for C. Why? Are there problems with our C or Java rules, or are Java programs, on average, just as susceptible to vulnerabilities as C programs? In this podcast, CERT researcher David Svoboda analyzes secure coding rules for both C and Java to determine if they indeed refute the conventional wisdom that Java is more secure than C.

  • Transcript
  • Audio

About the Speaker

  • David Svoboda

    David Svoboda is a software security engineer in the SEI’s CERT Division. He co-authored and contributed to four books, including the CERT C Coding Standard and the CERT Oracle Secure Coding Standard for Java. David has over 25 years of job and development experience, starting with Java 2, and his Java projects include Tomcat Servlets and Eclipse plug-ins. He also maintains the SEI CERT coding standard wikis, and he has taught secure coding in C, C++, and Java all over the world to various groups in the military, government, and banking industries.

    He is also involved in several ISO standards groups, including one for standardizing C and one for standardizing C++. He has been the primary developer on a diverse set of software development products at Carnegie Mellon University since 1991. His projects have ranged from hierarchical chip modeling and social organization simulation to automated machine translation (AMT). His KANTOO AMT software, developed in 1996, is still in production use at Caterpillar Industries.