Slashdot Mirror

← Back to Stories (view on slashdot.org)

Comparison of Java and .NET security

Posted by Zonk on from the one-likes-coffee-the-other-not dept.

prostoalex writes "The Computer Science Department at the University of Virginia has published a comparative study of security in Java and .NET in Portable Document Format. DevMktg blog on MSDN summarizes the findings saying that due to careful design process, .NET presents security advantages over Java platform in several areas." From the article: "Where Java evolved from an initial platform with limited security capabilities, .NET incorporated more security capability into its original design. With age and new features, much of the legacy code of Java still remains for backwards compatibility including the possibility of a null SecurityManager, and the absolute trust of classes on the bootclasspath. Hence, in several areas .NET has security advantages over Java because of its simpler and cleaner design."

6 of 461 comments (clear)

  1. Difference in ages by Anonymous Coward · · Score: 4, Interesting

    In the first page of the study they document the difference of age of .net and java. Java has been out for over 9 years, .net, 2-3. Let's see how .net is doing in number of vulnerabilities in 9 years.

    1. Re:Difference in ages by boa13 · · Score: 5, Interesting

      That's a lot of variations, platforms, etc,

      Actually, 10 of the 45 vulnerabilities that the authors chose to use in the chart were (or are?) in Microsoft JVM.

      I think including them in the chart is misleading at best.

  2. Totally bogus by Anonymous Coward · · Score: 4, Interesting

    Security in Java is multi layered and complex, you cannot possibly cover all its faces. ".Net" managed code is very rare and all .NET applications I know of (that are real applications) use native code thus removing any sense of security.
    Java has had years of full source code visibility (not open source) and had several holes plugged by the community, .NET has no such thing.
    Saying that .NET is more secure is just about the stupidest thing someone can say... Its like saying Windows is more secure than Linux since its newer than UNIX and Linux is based on UNIX.

  3. Re:Had to switch from Java to .NET by IWorkForMorons · · Score: 4, Interesting

    He doesn't know me...but I'm one...

    I have quite a number of years experience with VS6, more specifically VB6. Recently I started a job that, while not a programming role, allows me the time and flexibility to create programs to do my job how I want to code them. At first, since this an MS shop, I grabbed the .NET "Learning Edition" or whatever they're calling it nowadays. I understood that I wouldn't be able to create executables, but I could send my code to systems and get them to do it. After using the IDE for a couple of days, I found it so convoluted that I just gave up. Then I downloaded Eclipse with the Visual Class editor. Nice, simple, and it reminds me of the VB6 IDE. Only cleaner. Now I will say that I've had some problems with the Visual Class editor not rendering properly, but that hasn't stopped me from coding. In 2 weeks of coding on and off, I've created my first program and have been using it to do my job. Granted, it's not complex. Just does a database search and grabs data. But I still prefer the Ecplise IDE, even without the Visual Class editor working properly, over the VS.NET IDE. And I don't need to jump through MS' hoops just to get an executable. I'm distributing the program to the rest of the team next week after the boss tests it, and other departments are getting interested in it too. And with any luck, I'll get out of this support position and into a nice well-paid programming job at the same time.

  4. Yeay! Security plus portability minus cost... by freeplatypus · · Score: 5, Interesting

    .NET
    price: free, You only need to have Windows 2003 Business Server for serious work
    secure: rtfa in few years to make sure
    portable: it runs on many systems, like Windows and ... Windows ... but not all of them.
    speed: well actually speedy on Windows machine
    IDE: brilliant Visual Studio, unfortunatelly no plugins

    Java
    price: free, well it is free
    secure: most likely as secure as Your application
    portable: well actually, even my SonyEricsson cell runs it :)
    speed: a bit clumsy, but hey, almost all >1GHz desktop PC can run Java application in very responsive manner (Eclipse, Netbeans, Azureus, etc.)
    IDE: Eclipse and/or Netbeans ROCKS!

    This reply seems biased, but well, almost every opinion will be biased.

  5. My take on the first 'graph' used by tod_miller · · Score: 4, Interesting

    Wow, look at their nice graph will you. Their first graph shows 'vunerabilities found' in Java VM's... nothing mentioned about patches... and 0 in .net...

    Now look at this: In this paper we explore the more optimistic hypothesis that .NET's design is fundamentally more secure than Java's

    So they have a bent from the start to discredit Java. Onto my point:

    Java is 10 years old. There are groups of people looking at Java VM code and multiple versions of VM's, all of which are bunged in here. These 'vunerabilities' are not even reflections on the fundemental paradigm of the Java security model.

    This article is FUD, and bad FUD to counter Goslings stand against the 'untrusted code' model of the .Net.

    No, quoting JNI is not relevant in that argument because JNI still works within the seucrity model, yet it allows native code to be interfaced with, that is a seperate issue, and akin to making a network call, and running code on another server.

    They then mark up 9 security vunerabilities listed with Microsoft 'but because the way they classify them they do not count for this paper' (paper is the new word, because papers sound academic, not like paid research).

    There are many possible explanations for the .NET platform's apparent lack of security vulnerabilities.
    One possibility is that .NET is a less desirable platform for attackers to compromise than Java so it has
    not received the scrutiny necessary to reveal vulnerabilities. This is unlikely, however, since the .NET
    framework is now provided as a Windows update. Since Windows has over 90% of the desktop market
    with a large number of machines using .NET, the .NET platform presents an attractive target.

    Well, yes, windows runs on 90% of desktops, I would say .net runs on 15% of that figure.

    From the available information, the one implementation that did have many of its own
    unique vulnerabilities was Microsoft's Java implementation,

    They even try and discredit sources that go against their ideas. 'from the available information' or is the a way of saying 'this might be worse than we imply'.

    I didn't want to dig deeper, I found the single statement copied into a marketting guys website (fuck the word blog) rather twatish of the guy.

    This is FUD, yet the people this is aimed at are those who will read the '.Net found to be more secure than Java!!!!111OMGLOL!!' on [insert one of the many microsoft run 'news' farms that are used to infect propoganda into the media].

    pteeesh.

    To confirm you're not a script,
    please type the word in this image: binomial

    random letters - if you are visually impaired, please email us at pater@slashdot.org

    --
    #hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com