In his blog, Gartner analyst Neil MacDonald asks the question, "Is .NET More Secure Than Java?". Veracode provided data to help answer this question from our "State of Software Security Report" which contains the static analysis results from 1591 Java, .NET and C/C++ applications. .NET comes out slightly ahead.

...the vulnerability density (average flaws per MB of code scanned) for .NET was 27.2 and for Java the overall density was 30.0.

The question of which platform helps create a more secure application has been debated vigorously for many years. Back in 2003, with Andy Jaquith and other consultants at @stake, I performed a comparison of the security of the .NET vs. J2EE platforms. Our overall results had .NET coming out slightly ahead of J2EE mostly due to better developer defaults and better security guidance for developers. This may be the reason .NET is coming out slightly ahead in this analysis of hundreds of real-world applications.

Veracode Security Guides
Data Security Resources

About Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Comments (2)

Nate | June 1, 2010 4:31 pm

I think .NET is much better from one perspective: designed at a later date and actively maintained. Given that it was designed around the time of MSFT's dark night of the soul, they had some impetus to get the implementation right. Java came from the overflow-less era of 1995.

Also, Java doesn't seem to be as actively maintained. I have a hard time seeing Oracle adding ASLR to the JVM or hardening it. Adobe Flash and MSFT's CLR are active targets of exploitation and those companies seem to be making an effort to improve their platforms' robustness.

OscarZ | June 17, 2010 10:34 am

Well, it is impossible to have the same testing standards. So, how can the two really be considered "the same". Two different things being tested, two different - very different - criteria. Even if there are a lot of similarities.

In any sort of statistical sampling you also have to consider certain percentage points of error, as well. I see these two conclusions as being "equal", as it is an inexact science. Equal in the very inexact context of the tests.

Inexact, could be as much as 30% off considering the "unknown" which may be missing and a wide variety of factors. 70% accuracy, however, is generally considered, "Worth a gamble". What I see as "worth a gamble" - security wise - here... is either platform.

That is, non-conclusive. I feel comfortable with either environment in terms of security. It is all of the other factors I therefore tend to pay attention to. Not so if one compares PHP or C code against these languages.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.