Does X lang have security?
I'm hearing frequently this question when discussing with a Java developer. Th开发者_Python百科ey (java devs) always ask if your lang of choise have security and I don't know what to respond to that. Could anyone please tell me what Java security means?
Quickly: in java you can come across with different type of "security" (giving to this word a wider interpretation).
- Security at a JVM level (i.e. between two apps in the same JVM)
- Security at a container level (between two war deployed in the same appserver and the capability of the container to block calls from a not authorized client)
- Security at an application level (that is more likely authentication and authorization systems that in general implies the usage of frameworks)
But I don't think that asking "The language X has security" makes any sense without some more context.
Java doesn't allow access to the underlying system, so the abstractions provides a safety against (for example) buffer overflows in memory. With a native language you can access your system and use more functions, but you may introduce bugs which may give full system control to attackers.
Additional there is a sandbox for Applets and Webstart-applications, preventing website owners from accessing personal data or taking control of your Desktop.
Well, as pointed out by ccheneson, they could mean many things:
- API for secure communication (cryptography, data encryption for network transmission, digital checksums)
- security inside the language, such as protection from programmer errors like buffer overflows
- security in the VM, such as a sandbox model for running code with limited privileges
So just tell them that their question is too broad to have a meaningful answer. They might just be trying to impress you...
Tell your Java developers that languages do not 'have security'. The platform (libraries and frameworks) may offer API's that might be used to improve security (or be misapplied or used to make things needlessly complex which always reduces security).
Applications and the way they are deployed and operated may be secure or not, whatever language or platform is used. Security is a quality attribute, just as performance or maintainability. Programming languages are a minor aspect of that; platform API's a slightly larger aspect, but not a differentiator between most major mainstream platforms.
I suspect that the Java developers you are talking to are primarily thinking of things like automatic array and string bounds checking - which low-level languages like C and assembler do not have, and which leads to very common programming errors causing extremely serious security holes.
It is true that Java's design prevents this kind of error almost completely because it automatically checks array bounds. But that does not mean "Java has security" - many other types of attack such as Cross-site scripting and SQL injection are still possible, and many badly-written Java apps are vulnerable to them.
And this is also true for pretty much all other modern high-level languages. Java's being "secure" against buffer overflows was an important achievement (and strongly stressed in marketing) when it was introduced in the mid 1990s and C++ its main competitor. Nowadays, with many other languages in wide use, it's not such a big thing anymore.
They probably refer to Java SE Security . So I guess by "have security", they mean a set of API to enhance security in communication, data ...
I think they are talking about the possibility to run your application under the control of an SecurityManager (evolution of the Sandbox concept). The SecurityManager can be configured to disallow some types of privileges like accessing (parts of) the file system, opening connections, terminating the VM, ...
This is just the "Platform Security", there are more topics related to security.
See this technotes, specially the General Security section (Java Security Overview and Security Architecture)
is it about language based security? http://en.wikipedia.org/wiki/Language-based_system
精彩评论