undefined | Better HN

0 pointsstavros1y ago0 comments

> Java apps have proven no more secure in general

Really? I think an extraordinary claim like "eliminating a whole class of problems makes applications no more secure in general" should also come with extraordinary evidence.

0 comments

petee1y ago

I think Java's CVE list should say enough. Point being humans can muck anything up, regardless of safeguards

Clamchop1y ago

The point of the person you're replying to is that JVM software has far fewer vulnerabilities than it would have otherwise.

The number of CVEs reveals that there is a lot of Java software and that there's a strong culture of importing dependencies. But we also care about the nature of them, the normalized relative frequency of very serious flaws like RCE exploits.

stavrosOP1y ago

A CVE list says nothing. I made my own language which has no CVEs, that obviously doesn't mean it's secure. The relevant metric is "CVEs per unit of functionality".

sedatk1y ago

Also, popularity directly affects the number of CVEs.

bastawhiz1y ago

This is a nonsense statement unless you note the Java runtime. Java is a language. The runtime is the software that runs the Java code. There's more than one runtime.

j / k navigate · click thread line to collapse