Google shows 2.51M results for "Java security exploit" versus 5.03M for "Python security exploit".
Any thoughts about why so many news stories concentrate on Java's flaws compared to other languages? Is Python really more secure or better suited for enterprise development? Comments welcome.
Google's count of results is both not accurate for any useful human understanding of the word "accurate" and also neither predictive of any fact about material reality nor reflective of any sort of Internet-wide sentiment. You'd get similarly useful results by seeding a random number generator with those search strings and examining the output.
I believe it is indicative of media exposure to incidents, kind of like seeing how many people are aware of a situation IRL to assess its cultural impact, if only in proportion. But that's just my opinion.
Huh? I see Google report 31.8K results for ["Java security exploit"] and only 4 for ["Python security exploit"]. So in addition to any other problems with this as a rough estimator, removing some of the fuzziness of you unquoted queries gives a wildly different indication.
Separately, some of the worst Java bugs have been problematic and widely-exploitable not because of Java as a language, but Java as an applet/web-browser extension platform, which tries (and too often has failed) in running untrusted code in a safe manner.
The fact remains that search result numbers are completely useless for estimating the security of a language. Even more so without quotes.
* Search results show visibility on the web, nothing else.
* Without quotes, it may mean that more people talk about Python security than Java security. Or about writing exploits in Python, not for for Python.
In other news, I get 1M search results for "bieber security exploit" and 27M for "google security exploit" without quotes. But I don't think Justin Bieber or Google have more security issues than Java browser plugins.
The "proportion" of what remains "higher", exactly?
Google only shows the first ~900 results; the 'about' count of results beyond that are very rough estimates.
To the extent such counts are indicative of anything at all, the exact-phrases will have stronger implications than the counts for fuzzier non-phrase queries. For example, your queries will also return pages that include the comment, "there are very few security exploits in Python".
As others have pointed out, trying to deduce anything about the security of Java or Python from the number of Google hits is pointless.
Which of the two systems is "more secure" is rather vague and certainly hard to answer. You might be able to get a better approximation by comparing the number of CVEs relating to each one in a given time frame. But you'll probably want to categorize CVEs by their level of severity or even weight them by their relevancy for the particular application you have in mind. For example, Python does not even try to provide a safe sandbox for web applets while Java does, so the current problem does not even have a meaningful equivalent in the Python world.
My armchair guess is that neither of the two will have a completely terrible track record compared to the other one, and so picking either one should be fine from the point of view of security. In any case you'll have to respond to eventual problems in a timely manner.
People focus on these because they are usually exploitable through applets; as such they pose a direct threat to users. The recent issues have been mostly irrelevant to "enterprise systems" since so few use Java's sandboxing, and it's typically easy and quick for developers to respond.
If Python was runnable in browsers and widely installed I suspect it would be treated differently in media.