Many people believe that a large percentage of security flaws are due to the shortcomings of C/C++, most notably its lack of string and array bounds checking and its inadeptly designed string libraries. Certainly buffer overruns underlie a large number of security exploits, as they provide a way to inject code into a system through a public interface. In modern languages, such as Java or C#, array bounds are checked, so that exploitable errors in string or buffer handling lead to an exception, which may result in a denial of service, but does not form the basis for compromising other system properties.

Other people argue that modern languages are not a panacea and point to security flaws in the implementation and use of Java and other modern languages.

Consider the following hypothetical situation: suppose that all programs written in C/C++ were replaced by equivalent programs rewritten in a modern language (but not otherwise changed in their architecture or functionality). This leads to an interesting series of questions that might drive discussions about the interaction of programming languages and security:

1. Would we be better off in terms of security?
2. If the answer to 1 is yes, is rewriting code a cost-effective way of improving security?
3. What would the most prevalent attack be in this world?
4. What else should we change in languages to improve security?
5. What else should we change about the programs, in the process of rewriting them, to improve security?