Whether Java is more secure than C is a simple question to ask, but a hard question to answer well. When researchers on the CERT Secure Coding Team began writing the SEI CERT Oracle Coding Standard for Java, they thought that Java would require fewer secure coding rules than the SEI CERT C Coding Standard because Java was designed with security in mind. They also assumed that a more secure language would need fewer rules than a less secure one. However, Java has 168 coding rules compared to just 116 for C. Why? Are there problems with our C or Java rules, or are Java programs, on average, just as susceptible to vulnerabilities as C programs? In this podcast, CERT researcher David Svoboda analyzes secure coding rules for both C and Java to determine if they indeed refute the conventional wisdom that Java is more secure than C.