I'm hearing frequently this question when discussing with a Java developer. They (java devs) always ask if your lang of choise have security and I don't know what to respond to that. Could anyone please tell me what Java security means ?
Thanks.
I'm hearing frequently this question when discussing with a Java developer. They (java devs) always ask if your lang of choise have security and I don't know what to respond to that. Could anyone please tell me what Java security means ?
Thanks.
They probably refer to Java SE Security . So I guess by "have security", they mean a set of API to enhance security in communication, data ...
Tell your Java developers that languages do not 'have security'. The platform (libraries and frameworks) may offer API's that might be used to improve security (or be misapplied or used to make things needlessly complex which always reduces security).
Applications and the way they are deployed and operated may be secure or not, whatever language or platform is used. Security is a quality attribute, just as performance or maintainability. Programming languages are a minor aspect of that; platform API's a slightly larger aspect, but not a differentiator between most major mainstream platforms.
Java doesn't allow access to the underlying system, so the abstractions provides a safety against (for example) buffer overflows in memory. With a native language you can access your system and use more functions, but you may introduce bugs which may give full system control to attackers.
Additional there is a sandbox for Applets and Webstart-applications, preventing website owners from accessing personal data or taking control of your Desktop.
Quickly: in java you can come across with different type of "security" (giving to this word a wider interpretation).
But I don't think that asking "The language X has security" makes any sense without some more context.
Well, as pointed out by ccheneson, they could mean many things:
So just tell them that their question is too broad to have a meaningful answer. They might just be trying to impress you...
I suspect that the Java developers you are talking to are primarily thinking of things like automatic array and string bounds checking - which low-level languages like C and assembler do not have, and which leads to very common programming errors causing extremely serious security holes.
It is true that Java's design prevents this kind of error almost completely because it automatically checks array bounds. But that does not mean "Java has security" - many other types of attack such as Cross-site scripting and SQL injection are still possible, and many badly-written Java apps are vulnerable to them.
And this is also true for pretty much all other modern high-level languages. Java's being "secure" against buffer overflows was an important achievement (and strongly stressed in marketing) when it was introduced in the mid 1990s and C++ its main competitor. Nowadays, with many other languages in wide use, it's not such a big thing anymore.
I think they are talking about the possibility to run your application under the control of an SecurityManager (evolution of the Sandbox concept). The SecurityManager can be configured to disallow some types of privileges like accessing (parts of) the file system, opening connections, terminating the VM, ...
This is just the "Platform Security", there are more topics related to security.
See this technotes, specially the General Security section (Java Security Overview and Security Architecture)
is it about language based security? http://en.wikipedia.org/wiki/Language-based_system