Would you like a slice of FUD with your Java?

• By Mike Gunderloy
• February 8, 2005

From time to time I've been accused of being too hard on Microsoft, with my constant harping on their FUD in various contexts (other people say I'm too easy on them, so I guess it all balances out). But I try to be an equal opportunity FUD-spotter. This morning it's James Gosling, the father of Java, who's on my mind. Gosling rcently claimed that Microsoft "has left open a security hole large enough to drive many, many large trucks through" in .NET. His further comments made it clear that he's referring to the ability to use C++ or C# to perform unsafe operations, such as pointer operations, with the proper syntax.

Here's the deal: in C# you can use the unsafe keyword to create managed, but unverifiable, code. That is, code which is still running inside the CLR, but that doesn't necessarily stick to the normal C# rules of type-safety. Java doesn't have a direct equivalent. So, essentially, C# gives you more power, and more risk, in this scenario.

Now, I know in our litigious society it's fashionable to run in circles and scream and shout about anything that could hurt the poor consumer. But calling the existence of unsafe code a gaping security hole is roughly equivalent to saying that my chainsaw should have come with a warning label reading "WARNING: This device presents an unacceptable security risk for many dwellings, because it can be used to cut holes in your walls through which burglars can gain access."

On the other hand, my chainsaw did come with an extensive manual full of operating procedures and warnings. And, sure enough, if you actually take the time to read the C# documentation, you'll find plenty of discussion of why unsafe code isn't part of the core of C#, when you might need it, and what happens when you use it (for instance, the CLR won't execute unsafe code in untrusted contexts; no running unsafe code directly from the Internet!). Unsafe code is a dangerous tool, to be sure, but it's just a tool.

Face it, no programming environment (except perhaps such educational toys as Logo) is free of all possible security issues. That's because as soon as you start handing out even moderately powerful features, developers find ways to use them that are wonderfully insecure. Java applications are just as vulnerable as .NET ones to canonicalization errors, SQL injection, reading untrusted data, and so on. As with an automobile, the most dangerous part is always the nut behind the wheel.

Personally, I don't find that flinging accusations back and forth between the Java and .NET worlds is really a productive things to do. It's nice that Sun and Microsoft are fierce competitors in this arena; it makes both languages evolve to better support the needs of developers. But there are plenty of developers out in the real world who use both, and the FUD gets tiresome when it pops up. Here's to the continued success of both Java and .NET - and to the continued security education of developers.