Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Is .NET More Secure Than Java?

by Neil MacDonald  |  June 1, 2010  |  4 Comments

Interesting question – eh? There is a great amount of passion on both sides of the argument. Beyond the emotion and hype, what’s the reality?

After Microsoft followed Java’s lead and adopted an interpreted byte code model (common language runtime) for .NET, our official position has been that in the hands of a skilled developer, both languages can be used to produce equally secure applications.

I had a client ask me this question last week, so I went looking for the latest data to back this up.

Veracode is an application security testing solution provider that scans binaries, byte code and web applications as a service. They keep track of the aggregated data of the applications they scan and have recently begun publishing reports on the overall security of the code their service analyzes. Since they support both .NET and Java byte code scanning, I went to them for some specific data.

This wasn’t published in their report (they are looking at adding this in the next revision), but this is what their data shows: the vulnerability density (average flaws per MB of code scanned) for .NET was 27.2 and for Java the overall density was 30.0. 

To me, these are close enough and likely within the sampling error of their data. The security of .NET and Java code should be considered equivalent. What is interesting is that the prevalence of the types of vulnerabilities found in .NET code is different than the types of vulnerabilities found in Java code. This table comes from the published report:

image

This is useful data when designing training for .NET and Java developers. For both types of developers, an emphasis should be placed on avoiding  cross-site scripting errors. Veracode attributes the higher frequency of cross-site scripting vulnerabilities in .NET applications to the use of older .NET controls that do not automatically encode output. If you are using .NET, make sure you are using the newer sets of controls.

Bottom Line: the perceived security (or lack thereof) between .NET and Java isn’t a reason to select one language and framework over the other.

4 Comments »

Category: Application Security     Tags: , , ,

4 responses so far ↓

  • 1 Sam King   June 1, 2010 at 9:44 am

    Great post Neil. Agree with your bottom line: relying on the security controls built into one language/platform is not the answer. Secure coding practices, developer education and ultimately verifying the final integrated application (internal or procured from third-parties) needs to form part of a secure development lifecycle. We will be exploring flaw density by language and other code-level security metrics for internally developed and commercial software further in our next State of Software Security report due out in July.

  • 2 Jeremiah Grossman   June 2, 2010 at 7:57 am

    @neil, Our last statistics report compared the security of websites using MS Classic, .NET, CFM, Java, PHP and Perl. Some performed better than others in various categories, but one conclusion was that language/framework selection does not seem to be the deciding factor of what makes a website “secure.”

    slides:
    http://www.slideshare.net/jeremiahgrossman/whitehat-security-9th-website-security-statistics-report-3995771

    full report:
    http://www.slideshare.net/jeremiahgrossman/whitehat-security-9th-website-security-statistics-report

  • 3 muchas   June 3, 2010 at 1:10 am

    They test the security of webframeworks but attribute the findings to the language – do they really corrolate that strongly? Alright its a bit of a mix bag – buffer overflow has lots to do with the core language.

    I would say XSS and CRLF highly depend and the web framework your are using and given the pletora of web frameworks running JavaEE it would be interesting to know which ones they tested?

  • 4 java training   June 4, 2010 at 2:45 pm

    Interesting article. Here’s another take on the same topic :

    http://www.helpdesk-software.ws/it/29-04-2004.htm

    After Microsoft followed Java’s lead and adopted an interpreted byte code model (common language runtime) for .NET, it would appear as though that in the hands of a skilled developer, both languages can be used to produce equally secure applications.

    Lexy