
Ask HN: "Java security exploit" vs "Python security exploit" - dragonbonheur
Google shows 2.51M results for "Java security exploit" versus 5.03M for "Python security exploit".
Any thoughts about why so many news stories concentrate on Java's flaws compared to other languages? Is Python really more secure or better suited for enterprise development? Comments welcome.
======
patio11
Google's count of results is both not accurate for any useful human
understanding of the word "accurate" and also neither predictive of any fact
about material reality nor reflective of any sort of Internet-wide sentiment.
You'd get similarly useful results by seeding a random number generator with
those search strings and examining the output.

~~~
dragonbonheur
I believe it is indicative of media exposure to incidents, kind of like seeing
how many people are aware of a situation IRL to assess its cultural impact, if
only in proportion. But that's just my opinion.

------
gojomo
Huh? I see Google report 31.8K results for ["Java security exploit"] and only
4 for ["Python security exploit"]. So in addition to any other problems with
this as a rough estimator, removing some of the fuzziness of you unquoted
queries gives a wildly different indication.

Separately, some of the worst Java bugs have been problematic and widely-
exploitable not because of Java as a language, but Java as an applet/web-
browser extension platform, which tries (and too often has failed) in running
untrusted code in a safe manner.

Few other languages have even tried to fill that niche -- really only
Javascript does, and it achieves what safety it provides by an even stricter
lockdown of platform-capabilities.

~~~
dragonbonheur
Indeed I did not use quotes. The fact remains that the proportion remains
higher for Python.

In a way it's sad that Javascript isn't implemented on top of an accessible
bytecode interpreter (VM) that someone could write another translator for. I'd
love it if browsers could be extended in Lua.

~~~
ProblemFactory
The fact remains that search result numbers are completely useless for
estimating the security of a language. Even more so without quotes.

* Search results show visibility on the web, nothing else.

* Without quotes, it may mean that more people talk about Python security than Java security. Or about writing exploits _in_ Python, not for _for_ Python.

* Java is extremely secure if it is run in the same place as Python, and not executing untrusted bytecode in a browser plugin. Nobody runs unknown Python code on their machines. Java vs. Flash. vs. Javascript makes more sense as a comparison, because all three are used for executing untrusted code.

In other news, I get 1M search results for "bieber security exploit" and 27M
for "google security exploit" without quotes. But I don't think Justin Bieber
or Google have more security issues than Java browser plugins.

------
anonymouz
As others have pointed out, trying to deduce anything about the security of
Java or Python from the number of Google hits is pointless.

Which of the two systems is "more secure" is rather vague and certainly hard
to answer. You might be able to get a better approximation by comparing the
number of CVEs relating to each one in a given time frame. But you'll probably
want to categorize CVEs by their level of severity or even weight them by
their relevancy for the particular application you have in mind. For example,
Python does not even try to provide a safe sandbox for web applets while Java
does, so the current problem does not even have a meaningful equivalent in the
Python world.

My armchair guess is that neither of the two will have a completely terrible
track record compared to the other one, and so picking either one should be
fine from the point of view of security. In any case you'll have to respond to
eventual problems in a timely manner.

------
manojlds
A google search like that could also include security exploits using python
etc. And even google has started putting less importance to the count. It
basically means nothing.

------
zootm
People focus on these because they are usually exploitable through applets; as
such they pose a direct threat to users. The recent issues have been mostly
irrelevant to "enterprise systems" since so few use Java's sandboxing, and
it's typically easy and quick for developers to respond.

If Python was runnable in browsers and widely installed I suspect it would be
treated differently in media.

~~~
dragonbonheur
So in a way despite its age, Java is still like the pioneer with all the
arrows sticking out of its back.

