search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

  1. SEI
  2. Publications
  3. Digital Library
  4. Is Java More Secure Than C?

Is Java More Secure Than C?

February 2016 Podcast
David Svoboda

In this podcast, CERT researcher David Svoboda analyzes secure coding rules for both C and Java to determine if they indeed refute the conventional wisdom that Java is more secure than C.

Publisher:

Software Engineering Institute
Subjects

Listen

Watch

Abstract

Whether Java is more secure than C is a simple question to ask, but a hard question to answer well. When researchers on the CERT Secure Coding Team began writing the SEI CERT Oracle Coding Standard for Java, they thought that Java would require fewer secure coding rules than the SEI CERT C Coding Standard because Java was designed with security in mind. They also assumed that a more secure language would need fewer rules than a less secure one. However, Java has 168 coding rules compared to just 116 for C. Why? Are there problems with our C or Java rules, or are Java programs, on average, just as susceptible to vulnerabilities as C programs? In this podcast, CERT researcher David Svoboda analyzes secure coding rules for both C and Java to determine if they indeed refute the conventional wisdom that Java is more secure than C.

About the Speaker

David Svoboda

David Svoboda

David Svoboda is a software security engineer in the SEI’s CERT Division. He co-authored and contributed to four books, including the CERT C Coding Standard and the CERT ...

David Svoboda is a software security engineer in the SEI’s CERT Division. He co-authored and contributed to four books, including the CERT C Coding Standard and the CERT Oracle Secure Coding Standard for Java. David has over 25 years of job and development experience, starting with Java 2, and his Java projects include Tomcat Servlets and Eclipse plug-ins. He also maintains the SEI CERT coding standard wikis, and he has taught secure coding in C, C++, and Java all over the world to various groups in the military, government, and banking industries.

He is also involved in several ISO standards groups, including one for standardizing C and one for standardizing C++. He has been the primary developer on a diverse set of software development products at Carnegie Mellon University since 1991. His projects have ranged from hierarchical chip modeling and social organization simulation to automated machine translation (AMT). His KANTOO AMT software, developed in 1996, is still in production use at Caterpillar Industries.

Read more