On Mon, Dec 13, 2021 at 6:14 AM Andrew Rowley <[email protected]> wrote:
> On 13/12/2021 10:52 pm, Filip Palian wrote: > > @Andrew Rowley, you may want to check this outstanding work from Adam > > Gowdiak (search for "ibm java" or "oracle java" or simply check it all): > > https://packetstormsecurity.com/files/author/3682/ > You might have to spell it out for me because I can't figure it out. > Again these look to me like various forms of sandbox escape. > > Which of these makes Java less secure than the same program written in > e.g. COBOL? > I don't think COBOL is explicitly, or implicitly, more secure than the base Java language. The "problem" is not the Java language, but the Internet infrastructure built into the Java libraries and "add on" facilities such as LOG4J. A COBOL programmer would most likely write their own logging facility whereas a Java programmer would have a much larger selection of "prebuilt" libraries to use & would so likely use them. These facilities might or might not have any vulnerabilities in them. But I doubt that anyone is really validating them. The same with C/C++. Or any other "popular" languages. The PERL and R languages have CPAN and CRAN web sites full of user supplied programs. COBOL does not have that sort of thing. IBM, in the supplied COBOL libraries, tries to validate that they do not compromise system reliability and availability. Routines from the Internet are NOT validated by an outside source. In that way, COBOL is "more secure", in a certain sense. It's also why not many mainframe web applications are built using COBOL. JAVA is easier to use because it has so much "free stuff" which is already developed for Web type things. > > Andrew Rowley > > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
