Comments on: Which Tastes Better for Security, Java or .NET? http://www.veracode.com/blog/2010/06/which-tastes-better-for-security-java-or-net/ Application security testing, analysis, and metrics Tue, 15 May 2012 22:16:53 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: OscarZ http://www.veracode.com/blog/2010/06/which-tastes-better-for-security-java-or-net/comment-page-1/#comment-4015 OscarZ Thu, 17 Jun 2010 14:34:28 +0000 http://www.veracode.com/blog/?p=1252#comment-4015 Well, it is impossible to have the same testing standards. So, how can the two really be considered "the same". Two different things being tested, two different - very different - criteria. Even if there are a lot of similarities. In any sort of statistical sampling you also have to consider certain percentage points of error, as well. I see these two conclusions as being "equal", as it is an inexact science. Equal in the very inexact context of the tests. Inexact, could be as much as 30% off considering the "unknown" which may be missing and a wide variety of factors. 70% accuracy, however, is generally considered, "Worth a gamble". What I see as "worth a gamble" - security wise - here... is either platform. That is, non-conclusive. I feel comfortable with either environment in terms of security. It is all of the other factors I therefore tend to pay attention to. Not so if one compares PHP or C code against these languages. Well, it is impossible to have the same testing standards. So, how can the two really be considered “the same”. Two different things being tested, two different – very different – criteria. Even if there are a lot of similarities.

In any sort of statistical sampling you also have to consider certain percentage points of error, as well. I see these two conclusions as being “equal”, as it is an inexact science. Equal in the very inexact context of the tests.

Inexact, could be as much as 30% off considering the “unknown” which may be missing and a wide variety of factors. 70% accuracy, however, is generally considered, “Worth a gamble”. What I see as “worth a gamble” – security wise – here… is either platform.

That is, non-conclusive. I feel comfortable with either environment in terms of security. It is all of the other factors I therefore tend to pay attention to. Not so if one compares PHP or C code against these languages.

]]> By: Nate http://www.veracode.com/blog/2010/06/which-tastes-better-for-security-java-or-net/comment-page-1/#comment-3534 Nate Tue, 01 Jun 2010 20:31:58 +0000 http://www.veracode.com/blog/?p=1252#comment-3534 I think .NET is much better from one perspective: designed at a later date and actively maintained. Given that it was designed around the time of MSFT's dark night of the soul, they had some impetus to get the implementation right. Java came from the overflow-less era of 1995. Also, Java doesn't seem to be as actively maintained. I have a hard time seeing Oracle adding ASLR to the JVM or hardening it. Adobe Flash and MSFT's CLR are active targets of exploitation and those companies seem to be making an effort to improve their platforms' robustness. I think .NET is much better from one perspective: designed at a later date and actively maintained. Given that it was designed around the time of MSFT’s dark night of the soul, they had some impetus to get the implementation right. Java came from the overflow-less era of 1995.

Also, Java doesn’t seem to be as actively maintained. I have a hard time seeing Oracle adding ASLR to the JVM or hardening it. Adobe Flash and MSFT’s CLR are active targets of exploitation and those companies seem to be making an effort to improve their platforms’ robustness.

]]>