Compartilhar via

What about .NET vs Java Security?

  • Artigo

 

Interesting stuff, no?

Comments

  • Anonymous
    October 25, 2004
    I can assure you that this will not be picked
    up by Slashdot or TheServerSide as it does
    not conform to their reader's belief system.

    hehe...

    Ricky
  • Anonymous
    October 25, 2004
    This might be the inverse of the IE effect. Since JAVA has been around so much longer (and more widely deployed) It is more of a traget for "Security Researchers and freinds".

    But that might change
  • Anonymous
    October 25, 2004
    Well well, sounds terrible, doesn't it? 14 is much higher than 4... boy...
    Of course, what you don't mention is the fact that the .NET vulnerabilities are all marked much more critical than the Java. (Java: 69 % not critical, 31 % moderately crtical; .NET: 75 % moderately critical, 25 % Highly Critical). One should of course also mention, that this 1 highly critical vulnerability is a Buffer Overflow in JPEG Processing code...
    But compare yourself:
    .NET: http://secunia.com/product/667/
    Java:
    http://secunia.com/product/784/
  • Anonymous
    October 25, 2004
    The comment has been removed
  • Anonymous
    October 25, 2004
    So this graphs show that Microsoft gives out fewer advisories than Sun. Does it tell something about the applications itself? ;-)
  • Anonymous
    October 26, 2004
    Let's play math games, then. The Secunia page lists 13% of the Java vulnerabilities as being "Security Bypass", and 25% of the .NET vulnerabilities that way. Looks bad for .NET.

    Hmm... wait a minute, though... 13% of 14 is two (allowing for Secunia's rounding), 25% of 4 is 1. So, Java has two "Security Bypass" flaws during that time, .NET has one. So, what is murphee trying to tell us with his percentages? That he can play with statistics as well as anyone?
  • Anonymous
    October 26, 2004
    Alun:

    The numbers are too low to play with percentages. On the other hand, this is telling:

    "Java: 69 % not critical, 31 % moderately crtical; .NET: 75 % moderately critical, 25 % Highly Critical"

    You should also remember that whereas J2EE apps are strong residents in Linux/Unix/Mac and other platforms that are more secure than Windows, Dotnet so far is mainly used in Windows, which everyone knows is riddled with security holes.

  • Anonymous
    October 26, 2004
    The comment has been removed
  • Anonymous
    October 26, 2004
    And check out the IMPACT graph for both - advantage: Java!

  • Anonymous
    October 26, 2004
    >>So what was the point of the original post

    Very simple - everyone has security bugs, and only Msft admits it!
  • Anonymous
    October 26, 2004
    The comment has been removed
  • Anonymous
    October 26, 2004
    "However, by the end of the discussion, dgw is saying that .NET is "a bit" more insecure and even that is with the caveat that you ignore every security issue that isn't 'critical'."

    You're confusing .NET with Windows/IIs/IE.....NET is probably just as screwy as the others, it's just that there aren't enough data points yet to confirm it - notice that the graph is only for about 1 year.

    The point is, even over that short period, and even granting the fact Java has been here several times longer, Java STILL is more secure than dotnet.


  • Anonymous
    October 26, 2004
    The comment has been removed
  • Anonymous
    October 26, 2004
    The comment has been removed
  • Anonymous
    October 26, 2004
    It's all in a days work :)
  • Anonymous
    October 26, 2004
    "Very simple - everyone has security bugs, and only Msft admits it!"

    I'll hope you're only kidding here, because that's the stupidest statement I've heard coming from a Microsoft employee. Denying or blinding oneself to the fact that Microsoft Windows or IE or IIs, for example, is a treasure trove of security breaches (even the major news organizations regularly report this because of the severity and potential damage) does NOT inspire any confidence that MSFT is serious about solving these problems...

    SHAME on you, as you are, as you point out, a "security" guy at MSFT!
  • Anonymous
    October 26, 2004
    Seriously, let's look at this constructively. Everyone has security bugs, right? We agree on that I hope!

    But where do you hear that anyone but Microsoft has security bugs? We're actively working on addressing the issue, with time, education, $$, process improvment, better security testing, better libs, better best practice (i could keep going.) And yet, no-one else seems to want to do this work. Why? Beats me, because everyone has security bugs. Am I really that off-base?
  • Anonymous
    October 26, 2004
    That's a really simple thing to say and i'm trying not to call you names like "simple simon" (I mean, who else would simply COUNT the number of advisories without looking at the underlying severance and impact of the advisories)...

    Obviously everything has the potential to have security problems...the point is, which ones have the most security bugs and the most critical ones. Your entry actually backfired by showing that in fact Java has a better record on this than .NET.

    Microsoft has rightly been attacked by the press and the public for its poor security record, so you doing a PR on the thing doesn't really help things - it just shows Microsoft still has not owned up to the fact it needs to do some serious convincing to make the common perception that its products are security sieves go away.


  • Anonymous
    October 26, 2004
    You dodged my comment/question, no-one else has serious security issues?
  • Anonymous
    October 26, 2004
    And you obviously don't understand why people are angry at microsoft since i did answer your question and went beyond:

    other products may have security issues...Java itself may have some real problems...but simply by doing the comparison above you highlight the point that the number and severity and impact of issues will vary from product to product - and the point is that microsoft products seem to be unusually rife with problems that are severe.

    get it now?

  • Anonymous
    October 27, 2004
    I think you can't simply measure the number of (published) security issues.

    The ValidatePath issue in the ASP.Net Code was a really heavy issue. And especially since MS had really trouble with (url)-canonicalization issues in IIS in the path, I think such a mistake should not happen. They should know better.

    Maybe the guy who coded it didn't read your book;-)
  • Anonymous
    October 27, 2004
    >>I think such a mistake should not happen
    Totally agree! There's a full post-mortem underway!

    These are, I'm afraid to say, common industry mistakes:

    PHP: http://secunia.com/advisories/11792/
    Crystal Reports: http://secunia.com/advisories/11800/
    BEA WebLogic: http://secunia.com/advisories/11435/
    Sun JSP: http://secunia.com/advisories/8879/

    Perhaps more people should read the book :)
  • Anonymous
    October 27, 2004
    how many serious java apps vs .NET apps out there?
  • Anonymous
    October 27, 2004
    Michael,

    Can you please comment on this :

    http://secunia.com/product/22/

    Why are 26% still unpatched ?

    Not verifiable, not reproducible ?

    btw.. I appreciate what you do for devlopers.

    Thank you.

    Ricky
  • Anonymous
    October 27, 2004
    The comment has been removed
  • Anonymous
    October 28, 2004
    .
  • Anonymous
    October 31, 2004
    I think .NET is more safe than Java.
  • Anonymous
    February 17, 2006
    PingBack from http://www.abduh.net/?p=93