Java is less secure than C++?
By Pete Freitag
No it IS NOT! But that is what a hosting company is telling one of my clients.
A fairly well known ColdFusion hosting company (I'm not going to mention their name though I would like to;) refused to install one of our Java components on a server, and asked our customer if there was a dll instead of a jar file. I explained to our customer that "I find it quite odd that your host would rather install a dll than a jar since Java tends to be much safer than C++ applications with regard to memory allocation, and other things."
Their host responded: "Notice they only refer to java being better for resource usage. ... The issue we have with JAVA is the security. We have over 35,000 customers and we are a popular CF host and none of our customers use JAVA Tags."
I was even more surprised by their host's response. When I was talking about memory allocation, I was not talking about resource usage! I was talking about the programmer being able to manually create and free memory, and being forced to manage their own memory in a lot of cases. This is why many c/c++ programs have memory leaks! About the only way to create a memory leak in Java is to create new objects within an infinite loop, and retain their reference out side the loop.
Additionally they feel that Java is less secure than c/c++! As a hosting company they must have heard of buffer overflows! I would also expect many system admins to also understand what they are. Buffer overflows are not possible in java! How many security issues have you seen with Java? or applications written in Java? and how many buffer overflows, or memory leaks have you dealt with?
And to top it off this host does offer CFMX hosting, which is entirely written in... Java!
When it comes to C++ CFX tags in ColdFusion, VS Java CFX tags, I think you will find that Java CFX tags will perform better in general on CFMX. This is because there is no JNI layer required to invoke the procedures in the C++ DLL.
Java is less secure than C++? was first published on December 19, 2003.
The Fixinator Code Security Scanner for ColdFusion & CFML is an easy to use security tool that every CF developer can use. It can also easily integrate into CI for automatic scanning on every commit.