Research

Application security testing, analysis, and metrics

Which Tastes Better for Security, Java or .NET?

Posted by Chris Wysopal in RESEARCH, June 1, 2010 | Comments (2)

In his blog, Gartner analyst Neil MacDonald asks the question, “Is .NET More Secure Than Java?”. Veracode provided data to help answer this question from our “State of Software Security Report” which contains the static analysis results from 1591 Java, .NET and C/C++ applications. .NET comes out slightly ahead.

…the vulnerability density (average flaws per MB of code scanned) for .NET was 27.2 and for Java the overall density was 30.0.

The question of which platform helps create a more secure application has been debated vigorously for many years. Back in 2003, with Andy Jaquith and other consultants at @stake, I performed a comparison of the security of the .NET vs. J2EE platforms. Our overall results had .NET coming out slightly ahead of J2EE mostly due to better developer defaults and better security guidance for developers. This may be the reason .NET is coming out slightly ahead in this analysis of hundreds of real-world applications.

Veracode Security Guides

Cross-Site Scripting
SQL Injection
CSRF

Data Security Resources

Data Protection
Data Leak
Data Security Breach

Written by: Chris Wysopal

2 Comments »

I think .NET is much better from one perspective: designed at a later date and actively maintained. Given that it was designed around the time of MSFT’s dark night of the soul, they had some impetus to get the implementation right. Java came from the overflow-less era of 1995.

Also, Java doesn’t seem to be as actively maintained. I have a hard time seeing Oracle adding ASLR to the JVM or hardening it. Adobe Flash and MSFT’s CLR are active targets of exploitation and those companies seem to be making an effort to improve their platforms’ robustness.

Comment by Nate — June 1, 2010 @ 4:31 pm

Well, it is impossible to have the same testing standards. So, how can the two really be considered “the same”. Two different things being tested, two different – very different – criteria. Even if there are a lot of similarities.

In any sort of statistical sampling you also have to consider certain percentage points of error, as well. I see these two conclusions as being “equal”, as it is an inexact science. Equal in the very inexact context of the tests.

Inexact, could be as much as 30% off considering the “unknown” which may be missing and a wide variety of factors. 70% accuracy, however, is generally considered, “Worth a gamble”. What I see as “worth a gamble” – security wise – here… is either platform.

That is, non-conclusive. I feel comfortable with either environment in terms of security. It is all of the other factors I therefore tend to pay attention to. Not so if one compares PHP or C code against these languages.

Comment by OscarZ — June 17, 2010 @ 10:34 am

RSS feed for comments on this post. TrackBack URI

Leave a comment

Follow @veracode

Subscribe by RSS

Schedule Demo Veracode Trial

Mobile Security

Categories

Archive

Powered by WordPress