2

I am working mostly on C/C++ based enterprise applications. Now few modules are migrating to Java. Also in parallel, there has been stress on ensuring that the application has highest benchmark with respect to security.

Now, My question is -

Suppose same application is developed in all 3 languages (C/C++/Java), What are the possible areas of language specific security threats? (Like for example const string will be revealed in name mangaling. which can be possible security threat).

Any links would help me a lot.

kumar_m_kiran
  • 123
  • 4
  • 4
    If you want to obfuscate the code, Java is a bad choice. But for real security, revealing strings in an executable is not a problem, because we assume that the attacker knows and understands anything that happens in hte client. – CodesInChaos Mar 08 '13 at 09:22

3 Answers3

8

The biggest risk in any language is to have developers who do not master the said language. Secure development requires thinking of all "corner cases" and it does not work unless the developer knows what he does at all points. A competent C programmer who does not know Java will do more secure code in C than in Java (and vice versa).

A case can be made that in languages with "strong guarantees", consequences of some programming errors are less dire when viewed from a security point of view. For instance, a buffer overflow in Java leads to an exception and (usually) termination of the offending thread, whereas in C it may lead to an exploitable hole up to a remote shell for the attacker. This makes me a bit less worried when I have to trust developers with Java code than with C code. However, other potential security-related bugs are unchanged between Java and C code (if the code builds SQL statements in a way susceptible to SQL injection, then nothing in Java will protect against that -- to some extent, easy character string handling in Java promotes SQL injection bugs).

Obfuscation is more about maintaining intellectual property than security. It will not prevent attackers from reverse-engineering your code, but it helps in obtaining legal qualification (when using obfuscation, you make it clear, or at least clearer, that you do not want the code to be reverse-engineered, thus making "trespass" more obvious in the eyes of a judge -- but details vary quite a lot depending on jurisdiction). Java bytecode is easier to reverse-engineer than compiled C or C++, but it would be wrong to claim that compile C or C++ is immune from reverse-engineering.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
3

What I have done in the past when porting something between languages or working on something that will need to work really closely with a different language is to look up specific language issues on the OWASP website.

Hopefully that helps as a bit of a starting point.

Edit

I should add, and it has been covered in other answers, that speaking to an expert in the language might be your most secure bet, obviously this isn't always an option (at least in the short term)

Toby
  • 709
  • 6
  • 8
0

You asked for the link, and I would put my bet on OWASP guide for secure coding practices.

The good thing about this guide is that provide you with RISK AREAS e.g access control, memory management , file management and depending upon the use of one language and its syntax you can get it almost write and horribly wrong if you don't keep in mind the instructions laid out in this reference material.

You need to program with security in mind mostly its just functionality.

If you are interested in doing source code analysis there are bunch for free tools that OWASP provides. Here is the list

Saladin
  • 1,547
  • 3
  • 14
  • 23