Slashdot Mirror
Comparison of Java and .NET security
prostoalex writes "The Computer Science Department at the University of Virginia has published a comparative study of security in Java and .NET in Portable Document Format. DevMktg blog on MSDN summarizes the findings saying that due to careful design process, .NET presents security advantages over Java platform in several areas." From the article: "Where Java evolved from an initial platform with limited security capabilities, .NET incorporated more security capability into its original design. With age and new features, much of the legacy code of Java still remains for backwards compatibility including the possibility of a null SecurityManager, and the absolute trust of classes on the bootclasspath. Hence, in several areas .NET has security advantages over Java because of its simpler and cleaner design."
you're kidding me, right? anyone who actually has used Visual Studio will acquiesce that is the best IDE ever conceived. Even the most hardened OS automatons. If by chunks you mean chunks of superiority then yeah you are exactly right.
This system is shutting down. Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly.
Do you really think that age has anything to do with current vulnerabilities, or does security stem from good design, rather than patches?
I'm probably at the karma cap. Mod up a funny troll instead, it lightens the mood
wake me up... when .Net ends to be a vehicle to lock users and developers more and more into windows...
From day 1 .Net was designed to lure over the Java devs so that they get rid of the dangerous cross platform capabilities of Java!
And dont come with Mono we all know where it stands!
It's not truly cross-platform so it's out of question for any serious production environment. Sorry, but until Micro$oft releases the most important classes under a free license and port them to Linux I won't touch it with a ten foot stick. Java is closer but it's hardly fast enough. If Sun adds real OOP features like multiple inheritance, operator overloading, traits, mixins, and introduces optional strong or weak dynamical typing, I might consider using it. But right now I am stuck with Perl, Ruby, Lisp, Smalltalk, Eiffel, Scheme and Python, and what I am really looking forward is a study comparing their respective security and how the development of the Parrot VM will affect it. Of course since it's a blog on M$DN I am not holding my breath.
Karma: Positive (probably because of superiour intellect)
Well ignoring the fact that Microsoft is mean to be 'teh evil' and looking purely at the framework that their engineers have produced I have found very little to criticize.
It feels like they looked at Java and stripped out the bad and produced easy to use clean languages. The first things that spring to mind:
* Easier exception handling.
* Transparency with the whole string class/primitive issue.
* Really easy to create and catch events.
The Visual studio IDE however! Piece of HTML mangling non XHTM compliant &*$£
Performance over time is a measure of success. And so .NET's performance over 9 years would be a fair comparison.
Over the years I've seen many remarkable architectural designs, including the Windows NT Security Model (back when NT meant New Technology), which were thought to be ideal. 11 years on, no one could seriously claim that the Windows security model is ideal.
First of all, it's interesting to note that 10 of the 45 Java vulnerabilities that the researchers take in account are due to Microsoft. They are specific to the ill-famed Microsoft JVM.
.Net runtime? The researchers talk at length about the better .Net design, which is unsurprising given it was designed after many years of experience with the JVM.
.Net runtime, somehow I doubt it. Some partners might have portions of it, maybe.
.Net; maybe Microsoft did it right this time, and spent they money where it matters most in the long run.
Furthermore, 10 of the remaining 35 vulnerabilities were discovered and fixed in the first six months after the initial Java release. I consider that quickly-fixed flaws in a young product.
So, we're left with 25 vulnerabilities found in a mature product, between 2 and 3 every year. Not quite pretty, not quite a disaster either.
Now, question is, why are there no vulnerabilities discoveries in the
However, they fail to assess any impact the availability of Java source code might have on finding vulnerabilities and fixing them. The whole source code for the JVM is available (free as in beer), anybody can have a look once they register with Sun. I don't know if the same applies to the
So, availability of source code might be enough to generate two or three vulnerability discoveries per year.
Note that I'm not saying that there are six to nine vulnerabilities yet to be discovered in
http://dictionary.reference.com/search?q=dynamical
Im not going to read the article but the reasons stated in the summary suggests a strong (and maybe well funded) bias. In short, the summary is basically bullshit. The quoted material on the ms blog is suspicious and the scientific study might actually be quite good (I wouldnt criticize it without reading it first).
.Net come with very similar security features. Both have finegrained role based security features. Id say Java is somewhat more flexible by providing an extensible model so that you may provide your own protocol implementations. For example, I used an oss pgp implementation recently that plugs into the default Java security api. .Net on the other hand has some nice language features like attributes. Java has null securitymanagers; .net has unmanaged code.
Security is not something you just switch on in a project. You design your project from the ground up to have security features. Both Java and
Javas security features are designed through the JCP process in which a broad range of industries and individual experts have been and continue to be involved. Indeed some of the older security features come from the earlier JDK versions developed by SUN. Overall I trust this process more than I trust the microsoft process which when it comes to security has received a lot of criticism over the past few years.
Jilles
Okay, so, .net is designed better. Now, unfortunately the thing only runs under MS Windows. Windows is a rather poorly designed Operating system . So, your .net is better, but it only runs on a OS with major security issues.
How far does that get you?
Ok... let me get this out there first. I like the .Net framework (not all the stuff M$ tried to label as .Net after they realized that they were on the right track).
.Net 1.0 came out 6 YEARS after Java 1.0... it's not exactly fair to compare them as pure equals. Considering that they're so similar you have to take into account that M$ had time to see what was wrong w/ Java and fix it. It's kinda like saying "Well, this brand new bridge is far supperior to that one over there that was built 200 years ago. I mean, sure it's better looking, but this one is stronger AND lighter." People learn things and then implement them... is that so hard to understand?
However, this study is flawed.
Jeremy Logan's Website.
ok, I feel a strong need to shamelessly plug the .NET platform and refute your arguments..
... Windows ... but not all of them.
.GNU works on bsd, linux and windows. You are not required to use the System.Windows namespace if you're not developing for windows.
>.NET: price: free, You only need to have Windows
>2003 Business Server for serious work
>portable: it runs on many systems, like
>Windows and
mono and
You shouldn't look at anything older that windows2 000 though..
>IDE: brilliant Visual Studio, unfortunatelly
>no plugins
really now. They are called 'add-ins'.
>Java: price: free, well it is free
Sure, but not as in beer. Can I independently create my own JVM and distribute it?
>secure: most likely as secure as Your application
Sure, you can always trust the developer.
>speed: a bit clumsy, but hey, almost all >1GHz
>desktop PC can run Java application in very
>responsive manner (Eclipse, Netbeans, Azureus,
>etc.)
Sure. So if i want speed i should just add more machines.
>IDE: Eclipse and/or Netbeans ROCKS!
and all that in a very slow manner indeed..
C is not as portable as it seems. Just because there is a C compiler does not mean that any program written in C runs on a platform.
It is complex indeed. Which is not good. It is the cause for many errors which are hard to find. (Strings in C are about the worst you can get.)
Professionals who use C for everything should be fired because they should use a language suitable for the task instead.
The gall to put into account vulnerabilitys from Microsofts own JWM in a comparison to Microsofts .Net is astonoshing. What a way to belittle your competitor, make crappy implementation of their product and call them unsecure.
I lack words.
HTTP/1.1 400
The difference in age has something to do with it... you can't say that the "score" is 45 - 0 because the 45 vulnerabilities have been reported over 9 years for Sun. However, the chart clearly shows that in its first three years the Java platform was already up to 15 vulnerabilities while .NET is still at 0 after 3 years out.
You don't think enough... therefore you better not be!
Stop personally insulting each other.
.Net you would have to be mad to use anything else. Even the lovely/cute Sharpdevlop could not be used for real serious development even though I adore their whole project. .Net does rock, I don't like the security paper that started this threads obvious bias, but .Net is newer so its no surpise the design has some advantages. Java and .Net can live in the world together, there is no need to get hysterical or get in a fight about. You eat veggies, I'll eat the meat, meat and vegatable can coexist, get over yourselves.
VS.Net 2003 has lots of issues, certainly around web projects. It sure lacks refactoring, and it does not highlight errors without a compile.
All Java advocates here are shouting Eclipse, but the Java pro's I work with use IntelliJ. Sometimes paying for something is better.
VS 2005 has impoved alot, and for doing
I'm downloading Eclipse now to take a look at it again, but if its the usual Java sluggish/ugly normal Java client stuff we are used to then I won't be using it for very long.
By MS consultant I mean he was a Microsoft employee from their professional services division acting as a consultant to help resolve issues with the application. So call bullshit all you want.
Yes, we restricted the port ranges but guess what? When you do that on a SQL server box it crashes under load and MS was never able to resolve the issue. These was true even if the restricted range was very large or very small.
Where did I ever say "one box"? I said flat which means in one network segment.
As I said in my first post, "there may be a better way to implement .Net". I guess it would have been too much for someone to just post information instead of resorting to calling me a liar. :)
writing oo in c when you have c++ is stupid, you entirely fundamental basics of oo-concepts such as inheritance, encapsulation and the like.
Inheritance (at least single-inheritence) is easy in C, you can just create the first member of your object (struct) be an instance of another object. Thus, you can cast up (by dereferencing that member), the only difference being that the cast up is explicit (not necessarily such a bad thing!). And you can cast down implicitly by using casted function pointers that take the subclass pointer (works because it is the first member in the struct).
As for encapsulation, you get that in C simply by encapsulating all you want in the same module. Hiding the data and code you want in the C side and exposing what you want in the H side. Sure, you can't enforce the hiding the private data in your struct, but you can hide it by convention.
Also note that in C++, you can't really enforce the data hiding either, i.e:
#define private public
#include "some_class.h"
Am I reading this correctly? A common claim from the java crowd for superiority is how it has better interoperability? That is one of the least important things in a business today.
.NET platform.
.NET, power of ASP .NET means that in a company you can now embrace your beloved linux for the worker desktops, have one microsoft server running ASP .NET / SQL Server, and service the entire company with one application that is cheap and easy to build.
.NET is starting to knock the socks off java in the business world.
If you look at the statistics Windows 2003 server is really catching on with businesses, that advances the
There's this thing called XML web services, if you've been living under a rock or just plain closed your eyes to the real world this means that you can communicate with any system, so Java as a web platform has lost its major advantage it once had over MS products.
In fact, the ease of installing a server, the cleanness of
That is why
For client side apps java is still the winner for multiplatform... but outside of handhelds it's largely irrelevant b/c Windows dominates the desktop market.
I wonder why all these MSFT bashers keep coming in as Anonymous.... .NET managed code is NOT rare. People who write .NET code interfacing with unmanaged code are usually porting existing applications.
Comparing this security to a native Java app is like comparing a Java app with JNI calls to an exiting C or C++ app. The code is only as secure as the other code it is trusting.
Apples and Oranges
P.S. Your last analogy makes no sense whatsoever
---- It puts the lotion on its skin or else it gets the hose again. It does this whenever it's told.
How many companies are purely Windows shops? I would think that given that one fact (and ignoring mono,
Don't get me wrong, I'm not a
And as far as running cel phones to an existing application, we decided to go the web-based route. There is no Java front-end or back-end requirement. Hell, you could easily have a Java front-end and C# back-end if you wanted, but we went with html front-end and C# back-end (though I was pushing for PHP
And if you work in a mixed shop tat does require application functionality that is exactly the same across multiple platforms, I can see your point. However, in a Microsoft house you have the option of choosing your tools to fit the job. Maybe Java will be the best fit or maybe
Whee signature.
It's actually good to do it that way because you can't do research until you have a hypothesis, otherwise you don't know what you are measuring. You have to establish that basis before doing the research, not after.
One last personal request: Using bold all over the place at random looks kinda like USING LOTS OF CAPS and doesn't help make a point. I recommend using bold on no more than one or two words in a paragraph.
It seems most moderators haven't heard of it either, as nobody modded you up yet.
I am Eclipse/Java guy now working on a VS C# project. Anyone who thinks VS is great please tell me how to do these automatically in VS.Net 2003 (I am admittedly a novice with the VS interface, so I am hoping these things are actually doable):
Oliver.
.NET is Free source (as in free speech, mono or dotGNU)
Java isn't
- -- Truth addict for life.
The main reason to use Java is that its cross-platform. If you think Microsoft's plan is to lure over Java developers to a platform that's locked into Windows from a platform that runs on who knows how many platforms, you have another thought coming to you.
Pelé!