Gartner Blog Network

Is .NET More Secure Than Java?

by Neil MacDonald  |  June 1, 2010  |  4 Comments

Interesting question – eh? There is a great amount of passion on both sides of the argument. Beyond the emotion and hype, what’s the reality?

After Microsoft followed Java’s lead and adopted an interpreted byte code model (common language runtime) for .NET, our official position has been that in the hands of a skilled developer, both languages can be used to produce equally secure applications.

I had a client ask me this question last week, so I went looking for the latest data to back this up.

Veracode is an application security testing solution provider that scans binaries, byte code and web applications as a service. They keep track of the aggregated data of the applications they scan and have recently begun publishing reports on the overall security of the code their service analyzes. Since they support both .NET and Java byte code scanning, I went to them for some specific data.

This wasn’t published in their report (they are looking at adding this in the next revision), but this is what their data shows: the vulnerability density (average flaws per MB of code scanned) for .NET was 27.2 and for Java the overall density was 30.0. 

To me, these are close enough and likely within the sampling error of their data. The security of .NET and Java code should be considered equivalent. What is interesting is that the prevalence of the types of vulnerabilities found in .NET code is different than the types of vulnerabilities found in Java code. This table comes from the published report:


This is useful data when designing training for .NET and Java developers. For both types of developers, an emphasis should be placed on avoiding  cross-site scripting errors. Veracode attributes the higher frequency of cross-site scripting vulnerabilities in .NET applications to the use of older .NET controls that do not automatically encode output. If you are using .NET, make sure you are using the newer sets of controls.

Bottom Line: the perceived security (or lack thereof) between .NET and Java isn’t a reason to select one language and framework over the other.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: application-security  

Tags: application-security  application-security-testing-tools  best-practices  microsoft-security  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on Is .NET More Secure Than Java?

  1. Sam King says:

    Great post Neil. Agree with your bottom line: relying on the security controls built into one language/platform is not the answer. Secure coding practices, developer education and ultimately verifying the final integrated application (internal or procured from third-parties) needs to form part of a secure development lifecycle. We will be exploring flaw density by language and other code-level security metrics for internally developed and commercial software further in our next State of Software Security report due out in July.

  2. @neil, Our last statistics report compared the security of websites using MS Classic, .NET, CFM, Java, PHP and Perl. Some performed better than others in various categories, but one conclusion was that language/framework selection does not seem to be the deciding factor of what makes a website “secure.”


    full report:

  3. muchas says:

    They test the security of webframeworks but attribute the findings to the language – do they really corrolate that strongly? Alright its a bit of a mix bag – buffer overflow has lots to do with the core language.

    I would say XSS and CRLF highly depend and the web framework your are using and given the pletora of web frameworks running JavaEE it would be interesting to know which ones they tested?

  4. Interesting article. Here’s another take on the same topic :

    After Microsoft followed Java’s lead and adopted an interpreted byte code model (common language runtime) for .NET, it would appear as though that in the hands of a skilled developer, both languages can be used to produce equally secure applications.


Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.