I just had a look at repos from the NSA and alot of the code is written in Java. What could be the reason for its dominance in this context?
https://github.com/orgs/NationalSecurityAgency/repositories?type=all
The NSAs work is likely focused around parsing large amounts of data, building exploits for various technologies, things related to access and identity, etc.
I’m sure that for niche activities the NSA implements with whatever tool fits the job. However, in general, for more generalized activities such as parsing data, building reports, building access control systems, etc you’re going to want to use a language that is common and has longevity. Additionally, you’ll probably want a language that is performant but isn’t so low-level that programmers are spending their time writing code that is purely technical and not aligned with the end goal of the organization. Java is good mix of performance, common, lasting, etc. Additionally government agencies seem to love static, strongly typed, compiled languages. Those programming principles seem to align with the overall rigidity of government
JVMs come in several implementations, and the code written to execute in them both have horrific bugs all the time. XML deserialization, SQL injection, runtime bounds overstepping with foreign input, poorly implemented math. Ghidra itself was narely past soft opening before it was clear it was shipping with remotely exploitable bugs, easily exploitable very widely too, as the JVM took care of the groundwork for the logic that was problematic to run.
It still ships with exploitable bugs. NSA should get cred for at lest dealing with it when it becomes publically known. It was different before. That said, promoting closed and or poorly studied & verified software as safe, like they do with MS broken Windows to allies governments, etc is just stupid, but they probably look at it as them having an edge with Law and Budget drowning out anything we or any corp can muster up.
They made 0day into a shadowy indystry knowing the only choice is use OSS as the resources and cost to secure millions of hard to study lines of code is prohibitive - even if you can with OSS.
Just because your head is in the sand does not mean the danger has gone "oh shit, sand! oh nooooo!". Just means they evaluated that the practicality of it outweighs the dangers, for them. They have the resources to buy 0day. Pay for audits. Backdoor crypto algorithms and shit the bed over and over. NIST & NSA are the butts of many jokes around the halls of ISO and the likes of hackers who do it simply because they can. They will just keep at it until they win, according to every single declassified field manual since 1960, to DES exoport grade crypto, SBoxes or not, laws or no, embarrassing RSA scheme and 20m USD or the 1billion USD of bad press that alone got them. Crypto AG, overseas, Juniper and Cisco by force or OpenBSD.org getting popped to deliver a message heard the world round with apache_scalp.c. Gary7.NSA.Gov Traded like a whore in bangkok a sunday a the entire Navy arrived. Ellesberg or Snowden.
Ignorance is dangerous, not bliss. You should not make the mistake of thinking their actions for them indicate something is safe for you.