Skip to main content
June 1, 2010

Which Tastes Better for Security, Java or .NET?

In his blog, Gartner analyst Neil MacDonald asks the question, "Is .NET More Secure Than Java?". Veracode provided data to help answer this question from our "State of Software Security Report" which contains the static analysis results from 1591 Java, .NET and C/C++ applications. .NET comes out slightly ahead.

...the vulnerability density (average flaws per MB of code scanned) for .NET was 27.2 and for Java the overall density was 30.0.

The question of which platform helps create a more secure application has been debated vigorously for many years. Back in 2003, with Andy Jaquith and other consultants at @stake, I performed a comparison of the security of the .NET vs. J2EE platforms. Our overall results had .NET coming out slightly ahead of J2EE mostly due to better developer defaults and better security guidance for developers. This may be the reason .NET is coming out slightly ahead in this analysis of hundreds of real-world applications.

Veracode Security Guides
Data Security Resources

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.