Comparison of Java and .NET security

prostoalex writes "The Computer Science Department at the University of Virginia has published a comparative study of security in Java and .NET in Portable Document Format. DevMktg blog on MSDN summarizes the findings saying that due to careful design process, .NET presents security advantages over Java platform in several areas." From the article: "Where Java evolved from an initial platform with limited security capabilities, .NET incorporated more security capability into its original design. With age and new features, much of the legacy code of Java still remains for backwards compatibility including the possibility of a null SecurityManager, and the absolute trust of classes on the bootclasspath. Hence, in several areas .NET has security advantages over Java because of its simpler and cleaner design."

Had to switch from Java to .NET

[TheShadowHawk]

Since starting in my new job, I had to switch from Java to .Net... so this is a little bit of good news. I guess....

I still miss the Eclipse IDE though... Visual Studio blows chunks in comparison. :(

Re:Had to switch from Java to .NET

[IWorkForMorons]

He doesn't know me...but I'm one...

I have quite a number of years experience with VS6, more specifically VB6. Recently I started a job that, while not a programming role, allows me the time and flexibility to create programs to do my job how I want to code them. At first, since this an MS shop, I grabbed the .NET "Learning Edition" or whatever they're calling it nowadays. I understood that I wouldn't be able to create executables, but I could send my code to systems and get them to do it. After using the IDE for a couple of days, I found it so convoluted that I just gave up. Then I downloaded Eclipse with the Visual Class editor. Nice, simple, and it reminds me of the VB6 IDE. Only cleaner. Now I will say that I've had some problems with the Visual Class editor not rendering properly, but that hasn't stopped me from coding. In 2 weeks of coding on and off, I've created my first program and have been using it to do my job. Granted, it's not complex. Just does a database search and grabs data. But I still prefer the Ecplise IDE, even without the Visual Class editor working properly, over the VS.NET IDE. And I don't need to jump through MS' hoops just to get an executable. I'm distributing the program to the rest of the team next week after the boss tests it, and other departments are getting interested in it too. And with any luck, I'll get out of this support position and into a nice well-paid programming job at the same time.

Difference in ages

In the first page of the study they document the difference of age of .net and java. Java has been out for over 9 years, .net, 2-3. Let's see how .net is doing in number of vulnerabilities in 9 years.

Re:Difference in ages

[boa13]

That's a lot of variations, platforms, etc,

Actually, 10 of the 45 vulnerabilities that the authors chose to use in the chart were (or are?) in Microsoft JVM.

I think including them in the chart is misleading at best.

Totally bogus

Security in Java is multi layered and complex, you cannot possibly cover all its faces. ".Net" managed code is very rare and all .NET applications I know of (that are real applications) use native code thus removing any sense of security.
Java has had years of full source code visibility (not open source) and had several holes plugged by the community, .NET has no such thing.
Saying that .NET is more secure is just about the stupidest thing someone can say... Its like saying Windows is more secure than Linux since its newer than UNIX and Linux is based on UNIX.

Yeay! Security plus portability minus cost...

[freeplatypus]

.NET
price: free, You only need to have Windows 2003 Business Server for serious work
secure: rtfa in few years to make sure
portable: it runs on many systems, like Windows and ... Windows ... but not all of them.
speed: well actually speedy on Windows machine
IDE: brilliant Visual Studio, unfortunatelly no plugins

Java
price: free, well it is free
secure: most likely as secure as Your application
portable: well actually, even my SonyEricsson cell runs it :)
speed: a bit clumsy, but hey, almost all >1GHz desktop PC can run Java application in very responsive manner (Eclipse, Netbeans, Azureus, etc.)
IDE: Eclipse and/or Netbeans ROCKS!

This reply seems biased, but well, almost every opinion will be biased.

My take on the first 'graph' used

[tod_miller]

Wow, look at their nice graph will you. Their first graph shows 'vunerabilities found' in Java VM's... nothing mentioned about patches... and 0 in .net...

Now look at this: In this paper we explore the more optimistic hypothesis that .NET's design is fundamentally more secure than Java's

So they have a bent from the start to discredit Java. Onto my point:

Java is 10 years old. There are groups of people looking at Java VM code and multiple versions of VM's, all of which are bunged in here. These 'vunerabilities' are not even reflections on the fundemental paradigm of the Java security model.

This article is FUD, and bad FUD to counter Goslings stand against the 'untrusted code' model of the .Net.

No, quoting JNI is not relevant in that argument because JNI still works within the seucrity model, yet it allows native code to be interfaced with, that is a seperate issue, and akin to making a network call, and running code on another server.

They then mark up 9 security vunerabilities listed with Microsoft 'but because the way they classify them they do not count for this paper' (paper is the new word, because papers sound academic, not like paid research).

There are many possible explanations for the .NET platform's apparent lack of security vulnerabilities.
One possibility is that .NET is a less desirable platform for attackers to compromise than Java so it has
not received the scrutiny necessary to reveal vulnerabilities. This is unlikely, however, since the .NET
framework is now provided as a Windows update. Since Windows has over 90% of the desktop market
with a large number of machines using .NET, the .NET platform presents an attractive target.

Well, yes, windows runs on 90% of desktops, I would say .net runs on 15% of that figure.

From the available information, the one implementation that did have many of its own
unique vulnerabilities was Microsoft's Java implementation,

They even try and discredit sources that go against their ideas. 'from the available information' or is the a way of saying 'this might be worse than we imply'.

I didn't want to dig deeper, I found the single statement copied into a marketting guys website (fuck the word blog) rather twatish of the guy.

This is FUD, yet the people this is aimed at are those who will read the '.Net found to be more secure than Java!!!!111OMGLOL!!' on [insert one of the many microsoft run 'news' farms that are used to infect propoganda into the media].

pteeesh.

To confirm you're not a script,
please type the word in this image: binomial

random letters - if you are visually impaired, please email us at pater@slashdot.org

I'm glad the word is getting out

[callipygian-showsyst]

saying that due to careful design process, .NET presents security advantages over Java platform in several areas

Microsoft did an excellet job with .NET. While we all like to make fun of Ballmer jumping up and down and saying "Developers...", Microsoft actually means it.

Their tools, concepts, and design are *way* ahead of, say Xcode and Objective-C. It's painful for me when I have to do Mac development because everything's so backward.

I would love it if other companies starting implementing C#/.NET/CLR products based on the ECMA standard (unlike Java, C#/.NET has been accepted by a neutral standards committee)...this would prevent Microsoft from changing the language drastically from release to release.

I hate to play the creditability card, but...

[Bill_the_Engineer]

This paper is a paper from a Grad Student, with an endorsement from Dr. David Evans. These papers (despite what the author may think) are not definative and MUST be contrasted with other papers on the subject.

With all due respect for the author(s), I have the following questions:

Why the mis-leading chart so early in the paper? I believe a table may have been more appropriate.

Why not have more peer-reviewed references? I see plenty of references from MSDN, and some from some conferences. But it looks like most of the arguments are being supported by non-peer reviewed sources.

Why are there a SMALL number of peer-reviewed articles directly related to JAVA?

Why are the peer-reviewed articles on JAVA so old? And most likely no longer relevant?

What is the deployment history of .NET vs. Java? Market share? Security incidents (in the wild)?

Why the microscopic view of JAVA's flaws and the lack of depth in .NET?

Why isn't the dangers of native code discussed (.NET or JNI)?

I do however like the information in Table 3... but what practical advantages do the "finer grained" security functions provided by .NET give the programmer or the end-user?

I think it is a decent paper that maybe was turned in for an assignment. BTW, if the author has asbestos underwear and reads slashdot. Don't forget a short biography at the end of the paper next time. This gives the paper extra creditability.

Regards, Bill