Interesting question – eh? There is a great amount of passion on both sides of the argument. Beyond the emotion and hype, what’s the reality?
After Microsoft followed Java’s lead and adopted an interpreted byte code model (common language runtime) for .NET, our official position has been that in the hands of a skilled developer, both languages can be used to produce equally secure applications.
I had a client ask me this question last week, so I went looking for the latest data to back this up.
Veracode is an application security testing solution provider that scans binaries, byte code and web applications as a service. They keep track of the aggregated data of the applications they scan and have recently begun publishing reports on the overall security of the code their service analyzes. Since they support both .NET and Java byte code scanning, I went to them for some specific data.
This wasn’t published in their report (they are looking at adding this in the next revision), but this is what their data shows: the vulnerability density (average flaws per MB of code scanned) for .NET was 27.2 and for Java the overall density was 30.0.
To me, these are close enough and likely within the sampling error of their data. The security of .NET and Java code should be considered equivalent. What is interesting is that the prevalence of the types of vulnerabilities found in .NET code is different than the types of vulnerabilities found in Java code. This table comes from the published report:
This is useful data when designing training for .NET and Java developers. For both types of developers, an emphasis should be placed on avoiding cross-site scripting errors. Veracode attributes the higher frequency of cross-site scripting vulnerabilities in .NET applications to the use of older .NET controls that do not automatically encode output. If you are using .NET, make sure you are using the newer sets of controls.
Bottom Line: the perceived security (or lack thereof) between .NET and Java isn’t a reason to select one language and framework over the other.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.