[happosai]

Well it was solved decades ago in Java yet Java apps have proven no more secure in general.

It is a broader ecosystem problem that there almost no incentive to write secure code. Security is an afterthought like documentation.

[stavros]

> Java apps have proven no more secure in general

Really? I think an extraordinary claim like "eliminating a whole class of problems makes applications no more secure in general" should also come with extraordinary evidence.

[petee]

I think Java's CVE list should say enough. Point being humans can muck anything up, regardless of safeguards

[Clamchop]

The point of the person you're replying to is that JVM software has far fewer vulnerabilities than it would have otherwise.

The number of CVEs reveals that there is a lot of Java software and that there's a strong culture of importing dependencies. But we also care about the nature of them, the normalized relative frequency of very serious flaws like RCE exploits.

[stavros]

A CVE list says nothing. I made my own language which has no CVEs, that obviously doesn't mean it's secure. The relevant metric is "CVEs per unit of functionality".

[sedatk]

Also, popularity directly affects the number of CVEs.

[bastawhiz]

This is a nonsense statement unless you note the Java runtime. Java is a language. The runtime is the software that runs the Java code. There's more than one runtime.