Comparison of Java and .NET security

prostoalex writes "The Computer Science Department at the University of Virginia has published a comparative study of security in Java and .NET in Portable Document Format. DevMktg blog on MSDN summarizes the findings saying that due to careful design process, .NET presents security advantages over Java platform in several areas." From the article: "Where Java evolved from an initial platform with limited security capabilities, .NET incorporated more security capability into its original design. With age and new features, much of the legacy code of Java still remains for backwards compatibility including the possibility of a null SecurityManager, and the absolute trust of classes on the bootclasspath. Hence, in several areas .NET has security advantages over Java because of its simpler and cleaner design."

Except...

[Anonymous Coward]

Except it run on Windows.
D'OH!

Re:Except...

[fbjon (692006)]

I have an idea: I'm going to write a new .Net VM.... in Java!

Eat that, hax0rs!

Had to switch from Java to .NET

[TheShadowHawk (789754)]

Since starting in my new job, I had to switch from Java to .Net... so this is a little bit of good news. I guess....

I still miss the Eclipse IDE though... Visual Studio blows chunks in comparison. :(

Re:Had to switch from Java to .NET

[IWorkForMorons (679120)]

He doesn't know me...but I'm one...

I have quite a number of years experience with VS6, more specifically VB6. Recently I started a job that, while not a programming role, allows me the time and flexibility to create programs to do my job how I want to code them. At first, since this an MS shop, I grabbed the .NET "Learning Edition" or whatever they're calling it nowadays. I understood that I wouldn't be able to create executables, but I could send my code to systems and get them to do it. After using the IDE for a couple of days, I found it so convoluted that I just gave up. Then I downloaded Eclipse with the Visual Class editor. Nice, simple, and it reminds me of the VB6 IDE. Only cleaner. Now I will say that I've had some problems with the Visual Class editor not rendering properly, but that hasn't stopped me from coding. In 2 weeks of coding on and off, I've created my first program and have been using it to do my job. Granted, it's not complex. Just does a database search and grabs data. But I still prefer the Ecplise IDE, even without the Visual Class editor working properly, over the VS.NET IDE. And I don't need to jump through MS' hoops just to get an executable. I'm distributing the program to the rest of the team next week after the boss tests it, and other departments are getting interested in it too. And with any luck, I'll get out of this support position and into a nice well-paid programming job at the same time.

Re:Had to switch from Java to .NET

[zootm (850416)]

As a contrary opinion, I've used both and found them both good in different areas. And I've certainly not found any difference in reliance on "Wizards" between the two packages.

I've found that, in general, VS.NET is a little better integrated with its languages, whereas Eclipse has far superior refactoring support and integration with build processes (as you mention). 2005 is going some way to fixing this.

They're both fantastic IDEs though. I'd recommend either (although the only C# plugin I've found fo

Difference in ages

[Anonymous Coward]

In the first page of the study they document the difference of age of .net and java. Java has been out for over 9 years, .net, 2-3. Let's see how .net is doing in number of vulnerabilities in 9 years.

Re:Difference in ages

[Three Headed Man (765841)]

Do you really think that age has anything to do with current vulnerabilities, or does security stem from good design, rather than patches?

Re:Difference in ages

[kbw (524341)]

Performance over time is a measure of success. And so .NET's performance over 9 years would be a fair comparison.

Over the years I've seen many remarkable architectural designs, including the Windows NT Security Model (back when NT meant New Technology), which were thought to be ideal. 11 years on, no one could seriously claim that the Windows security model is ideal.

Re:Difference in ages

[boa13 (548222)]

That's a lot of variations, platforms, etc,

Actually, 10 of the 45 vulnerabilities that the authors chose to use in the chart were (or are?) in Microsoft JVM.

I think including them in the chart is misleading at best.

And that is the biggest problem.

[khasim (1285)]

It isn't which is really more "vulnerable".

It is how you define your criteria as to what is "vulnerable" and what is "safe".

They would have done a LOT better in just sticking to the design of each instead of counting admitted vulnerabilities and patches.

Microsoft has been known to sit on vulnerabilities for a LONG time (http://www.eeye.com/html/research/upcoming/index. html [eeye.com]

Security starts with the security model. Here is where you'll see patches to disable stuff in a flawed model. You cannot just count the patches here, but they are useful for evaluating the model itself.

Then that model has to be implemented in code. This is where you'll see bug fixes for code errors.

The last thing to look at is any application built by someone else on that platform.

And one last item to consider. Any platform is only as "secure" as the level beneath it. If .Net can be exploited by a vulnerability in Windows, then it can be exploited. This is particularly important because Microsoft builds both platforms.

Here is where they get it wrong on Java:

Both platforms need some way of bootstrapping to install the initial classes and loading mechanisms. Java 1.0 used a trusted file path that gave full trust to any class stored on the path. Code on the system CLASSPATH was fully trusted, so problems occurred when untrusted code could be installed on the CLASSPATH [15]. Java 2 treats code found on the CLASSPATH as any other code, but maintains backwards compatibility by using the bootclasspath to identify completely trusted code necessary to bootstrap the class loader.

So, if Windows is compromised and code inserted to Java to run, then Java is at fault ... but if Windows is compromised and code is inserted for .Net to run, then that shouldn't count because the compromise happened before .Net was running.

Either you count it as a flaw in both, or you don't count it for either.

PDF text

[Anonymous Coward]

Text conversion of PDF document [google.com]

.NET? Is this thing still around?

[Mensa Babe (675349)]

It's not truly cross-platform so it's out of question for any serious production environment. Sorry, but until Micro$oft releases the most important classes under a free license and port them to Linux I won't touch it with a ten foot stick. Java is closer but it's hardly fast enough. If Sun adds real OOP features like multiple inheritance, operator overloading, traits, mixins, and introduces optional strong or weak dynamical typing, I might consider using it. But right now I am stuck with Perl, Ruby, Lisp, Smalltalk, Eiffel, Scheme and Python, and what I am really looking forward is a study comparing their respective security and how the development of the Parrot VM will affect it. Of course since it's a blog on M$DN I am not holding my breath.

Re:.NET? Is this thing still around?

[dotslashdot (694478)]

Operator overloading, multiple inheritance? Are you crazy? These things ultimately make code very difficult to maintain and scale because a developer can unnecessarily overload all kinds operations and make it difficult for others to figure out just what the hell is going on. C++ sucks for that very reason when it comes to a production environment. These are only useful in useless settings like school or maybe a Mensa meeting. Have you heard of Mensa? You should join. Especially because you are so subtle and humble about it. :)

Re:.NET? Is this thing still around?

[shutdown -p now (807394)]

Operator overloading, multiple inheritance? Are you crazy? These things ultimately make code very difficult to maintain and scale because a developer can unnecessarily overload all kinds operations and make it difficult for others to figure out just what the hell is going on.

Well maybe the developers should learn more about operator overloading and multiple inheritance, like, how to use them properly, instead of whining endlessly about how "C++ sucks for that very reason"? You know, start with some decent programming language like Eiffel, which was designed from grounds-up to handle both these cases very nicely. See how MI is used there, why is it used, and what it can do in skilled hands that SI+interfaces can't. Then maybe you will be able to learn to comprehend the power Lisp macros give to the programmer (I'm half-expecting someone to shout "but macros are evil because they can be abused, that's why C sucks!").

Speaking of abuse, pretty much every language can be abused to no end. Java is no exception. It won't stop you from making public fields, for example, which is generally considered a bad thing to do. Nor will it limit write access to them from outside the class (in contrast to Eiffel, where public fields are read-only from outside). The whole type system is a big mess as well (int vs Integer, anyone? and now with autoboxing?).

Re:.NET? Is this thing still around?

[Procyon101 (61366)]

I've got to use the same arguement for Multiple inheritance. It absolutely great when done in a sane fashion. The occassional default implementation of an interface, or even more useful, inheriting from policy classes for decoupling are great uses of multi-inheritance. It's the OOP nightmare of deep, wide inheritance trees that leads to gouging your eyes out insanity and prayers for single inheritance, just like seeing an overloaded comma and tertiary is likely to make you swear off operator overloading. But that's a symptom of crazy programming, not a crazy language construct.

Re:.NET? Is this thing still around?

[rjshields (719665)]

If Sun adds real OOP features like multiple inheritance, operator overloading, traits, mixins, and introduces optional strong or weak dynamical typing

Multiple inheritance is best avoided for clarity (multiple interface inheritance is OK). Operator overloading is rarely useful and often abused. Java is a strongly typed language and this is not going to change ("dynamical typing" doesn't mean anything by the way).

Some of these points are misinformed and you missed out the things that bug people most about Java, the lack of deterministic finalisation and direct memory control, so it looks like your intellect is not superior after all. People who really do have superior intellect do not need to boast about it, it shows through in the things they do and say.

Professionals use C for everything

[Anonymous Coward]

C is portable, fast, very complex and since 35+ years the leading standard for professional OS and APP development.

C is so successful that C++ had to be invented to get more people into OO style C programming. C++ was designed as an syntax aid for people who lacked the skill writing OO in C by disciplined use of structs and func pointers.

C is obviously too complex for the average CS student who crouch from one alternative to the next.

Java? .NET??? ...amusing.

Re:Professionals use C for everything

[owlstead (636356)]

You are trying to be funny, but I'll bite. .NET and Java are clearly a much cleaner subset of C++, with many runtime features. Both are designed to do away with many legacy programming features (like pointer arithmetic). These features will only take your eye off your original target (for a small speed advantage, granted).

These languages are less error prone and easier to debug. Therefore, they are the tool of choice for someone to create a program within a certain timeframe, a program which sources that ca

Re:Nonsense, utter nonsense

[Peaker (72084)]

writing oo in c when you have c++ is stupid, you entirely fundamental basics of oo-concepts such as inheritance, encapsulation and the like.

Inheritance (at least single-inheritence) is easy in C, you can just create the first member of your object (struct) be an instance of another object. Thus, you can cast up (by dereferencing that member), the only difference being that the cast up is explicit (not necessarily such a bad thing!). And you can cast down implicitly by using casted function pointers that t

They looked at Java and improved it!

[vdex42 (858798)]

Well ignoring the fact that Microsoft is mean to be 'teh evil' and looking purely at the framework that their engineers have produced I have found very little to criticize.

It feels like they looked at Java and stripped out the bad and produced easy to use clean languages. The first things that spring to mind:
* Easier exception handling.
* Transparency with the whole string class/primitive issue.
* Really easy to create and catch events.

The Visual studio IDE however! Piece of HTML mangling non XHTM compliant &*$£

Re:They looked at Java and improved it!

[MemoryDragon (544441)]

Add to that that you basically have half the classes sitting with a thin layer on a 20 year old api designed with no security at all in the mind of the developers and some stuff basicall moved 1:1 over.... .Net can have lots of security features as long as you can pump a string directly into win32 in half of the classes, which triggers a buffer overflow everything is null and void in this article.

Re:They looked at Java and improved it!

[zootm (850416)]

Net can have lots of security features as long as you can pump a string directly into win32 in half of the classes, which triggers a buffer overflow everything is null and void in this article.

You can't do that unless you're P/Invoking worse code, or running in the unsafe mode, both of which are similar to running a JNI interface with which you could do the same thing

The CLI system is sandboxed, the underlying API is hidden and — in general, unless there's a problem with the implementation of the system — its shortcomings are essentially hidden.

Re:They looked at Java and improved it!

[jallen02 (124384)]

But it is almost a given that in any large application someone somewhere dipped into the PInvoke toolbox to get something done. I haven't seen many .NET GUI apps of any large size that don't dip into PInvoke. Usually it was because the developers were familiar with the older Win32 API and didn't feel like doing things right, but still. You don't really see that in Java nearly as often. I have used JNI code a handful of times in 3 or 4 years of Java development and it is almost encouraged my Microsoft to PIn

Re:They looked at Java and improved it!

[zootm (850416)]

Easier exception handling.

Now, I'll grant it's easier (since you don't have to!), but in systems where reliability is a requirement the lack of checked exceptions can be a bit of a hassle, too easy to overlook and requiring good documentation (which, on the other hand, is a good thing).

Transparency with the whole string class/primitive issue.

Java does have autoboxing as of 5.0, but I know that's not really what you're on about. Being able to switch on strings and so on is handy though. Their special

Totally bogus

[Anonymous Coward]

Security in Java is multi layered and complex, you cannot possibly cover all its faces. ".Net" managed code is very rare and all .NET applications I know of (that are real applications) use native code thus removing any sense of security.
Java has had years of full source code visibility (not open source) and had several holes plugged by the community, .NET has no such thing.
Saying that .NET is more secure is just about the stupidest thing someone can say... Its like saying Windows is more secure than Linux since its newer than UNIX and Linux is based on UNIX.

Re:Totally bogus

[tommck (69750)]

I wonder why all these MSFT bashers keep coming in as Anonymous.... .NET managed code is NOT rare. People who write .NET code interfacing with unmanaged code are usually porting existing applications.

Comparing this security to a native Java app is like comparing a Java app with JNI calls to an exiting C or C++ app. The code is only as secure as the other code it is trusting.

Apples and Oranges

P.S. Your last analogy makes no sense whatsoever

Source code access

[boa13 (548222)]

First of all, it's interesting to note that 10 of the 45 Java vulnerabilities that the researchers take in account are due to Microsoft. They are specific to the ill-famed Microsoft JVM.

Furthermore, 10 of the remaining 35 vulnerabilities were discovered and fixed in the first six months after the initial Java release. I consider that quickly-fixed flaws in a young product.

So, we're left with 25 vulnerabilities found in a mature product, between 2 and 3 every year. Not quite pretty, not quite a disaster either.

Now, question is, why are there no vulnerabilities discoveries in the .Net runtime? The researchers talk at length about the better .Net design, which is unsurprising given it was designed after many years of experience with the JVM.

However, they fail to assess any impact the availability of Java source code might have on finding vulnerabilities and fixing them. The whole source code for the JVM is available (free as in beer), anybody can have a look once they register with Sun. I don't know if the same applies to the .Net runtime, somehow I doubt it. Some partners might have portions of it, maybe.

So, availability of source code might be enough to generate two or three vulnerability discoveries per year.

Note that I'm not saying that there are six to nine vulnerabilities yet to be discovered in .Net; maybe Microsoft did it right this time, and spent they money where it matters most in the long run.

Re:Source code access

[Johnno74 (252399)]

Most of the source code for .Net is available here [microsoft.com] - Its called "rotor" and is Microsoft's open source implementation of .Net. It doesn't cover the complete framework, but it includes the runtime, C# compiler, and the parts of the framework that were submitted to ECMA.

Anyone is free to download, modify and distribute rotor, it compiles on OSX and BSD. I believe someone has modified it to compile and run on Linux. Unfortunately the license prohibits commercial use...

The major differences between Rotor and the full framework are a simplified garbage collector, and a simplified JIT compiler. Microsoft aren't saying how much of the framework code is shared between Rotor and the full version, but I've been told by people with access to the source that the answer is "pretty much all of it"

Re:Source code access

[boa13 (548222)]

you execute a program and it will run before next Christmas (not something you can say for Java)

Heh, that part is quite a troll.

I use Java apps daily (Eclipse, Moneydance, JAlbum), and now that you make me think of it, they might not be "lightning fast", but they're fast enough that I don't think about their speed. In my book, that's the definition of being "fast enough".

I don't have experience with .Net apps however, so it might well be the case that they're faster. As others have commented, they only run

hardly objective

[jilles (20976)]

Im not going to read the article but the reasons stated in the summary suggests a strong (and maybe well funded) bias. In short, the summary is basically bullshit. The quoted material on the ms blog is suspicious and the scientific study might actually be quite good (I wouldnt criticize it without reading it first).

Security is not something you just switch on in a project. You design your project from the ground up to have security features. Both Java and .Net come with very similar security features. Both have finegrained role based security features. Id say Java is somewhat more flexible by providing an extensible model so that you may provide your own protocol implementations. For example, I used an oss pgp implementation recently that plugs into the default Java security api. .Net on the other hand has some nice language features like attributes. Java has null securitymanagers; .net has unmanaged code.

Javas security features are designed through the JCP process in which a broad range of industries and individual experts have been and continue to be involved. Indeed some of the older security features come from the earlier JDK versions developed by SUN. Overall I trust this process more than I trust the microsoft process which when it comes to security has received a lot of criticism over the past few years.

blah... flawed logic

[JeremyALogan (622913)]

Ok... let me get this out there first. I like the .Net framework (not all the stuff M$ tried to label as .Net after they realized that they were on the right track).

However, this study is flawed. .Net 1.0 came out 6 YEARS after Java 1.0... it's not exactly fair to compare them as pure equals. Considering that they're so similar you have to take into account that M$ had time to see what was wrong w/ Java and fix it. It's kinda like saying "Well, this brand new bridge is far supperior to that one over there that was built 200 years ago. I mean, sure it's better looking, but this one is stronger AND lighter." People learn things and then implement them... is that so hard to understand?

Re:blah... flawed logic

[iapetus (24050)]

Why is it wrong to compare them as pure equals? Speaking as someone wanting to implement a solution today, using today's technology, I want to know which one is better for my needs now. I'm not going to say "Well, Java sucks, but for the time it was great, so I'll use that instead of something that meets my requirements right now."

Re:blah... flawed logic

[boa13 (548222)]

I want to know which one is better for my needs now.

And this is why the comparison is wrong. It does not compare them "now", it compares them "overall". Do you care about ten-years-old flaws that were quickly fixed and have not bothered anyone since then? I think not. Do you care about flaws in a special vendor version that no sane person uses now? I think not. Would you be interested in knowing that the above-mentioned flaws were created by the very vendor the proprietary technology of whom you are trying to evaluate? I think you should.

What should interest you is how many security issues are found per year. The article lets you learn that (even though it doesn't explicitly do the math for you). What should also interest you is how the Java community and Sun reacted to the flaws, how fast and how well they were fixed. The article is tight-lipped about that.

Actually, since no flaws have been found for .Net, there is no way to know how Microsoft will react in such a case. Past reactions should at the very least have you worried.

(And actually, there have been flaws, but the authors of the study chose to ignore them, see appendix A for why. Unfortunately, there's no appendix B for how they chose the Java flaws.)

Yeay! Security plus portability minus cost...

[freeplatypus (846535)]

.NET
price: free, You only need to have Windows 2003 Business Server for serious work
secure: rtfa in few years to make sure
portable: it runs on many systems, like Windows and ... Windows ... but not all of them.
speed: well actually speedy on Windows machine
IDE: brilliant Visual Studio, unfortunatelly no plugins

Java
price: free, well it is free
secure: most likely as secure as Your application
portable: well actually, even my SonyEricsson cell runs it :)
speed: a bit clumsy, but hey, almost all >1GHz desktop PC can run Java application in very responsive manner (Eclipse, Netbeans, Azureus, etc.)
IDE: Eclipse and/or Netbeans ROCKS!

This reply seems biased, but well, almost every opinion will be biased.

Re:Yeay! Security plus portability minus cost...

[sosume (680416)]

ok, I feel a strong need to shamelessly plug the .NET platform and refute your arguments..

>.NET: price: free, You only need to have Windows
>2003 Business Server for serious work
>portable: it runs on many systems, like
>Windows and ... Windows ... but not all of them.

mono and .GNU works on bsd, linux and windows. You are not required to use the System.Windows namespace if you're not developing for windows.
You shouldn't look at anything older that windows2 000 though..

>IDE: brilliant Visual Stud

Re:Yeay! Security plus portability minus cost...

[Richard_at_work (517087)]

Java: price: free, well it is free Sure, but not as in beer. Can I independently create my own JVM and distribute it?

Well, actually, yes you can. Theres nothing stopping you reimplimenting a JVM to the released specifications, infact Kaffe [kaffe.org] is one such reimplementation. Go get a book detailing the VM specifications and how to implement a good VM from Sun! [sun.com]

Re:Yeay! Security plus portability minus cost...

[kelzer (83087)]

You can write in lots of nice languages for it, wheras Java afaik only has Java and Ruby.

No offense, but I guess you don't know much. Here are just a few of the available languages for the JVM:

• Smalltalk [missionsoft.com]
• Pascal [webcom.com]
• Modula-2 [webcom.com]
• Oberon-2 [webcom.com]
• Lisp [cliki.net]
• Schema [koala.ilog.fr]
• Python [jython.org]
• Perl [ebb.org]
• TCL [sourceforge.net]
• Logo [mit.edu]
• Prolog [sourceforge.net]

Open source java security projects

[iksrazal_br (614172)]

I think this article overlooks the fact that many 'free as in speech' third party security libraries and frameworks are available for java.

1) ACEGI - Aspect-orientaded-programming using a dependency injection model to replace or complement JAAS for authentication and authorization in an Application server independant way. A subproject of the Spring framework:

http://acegisecurity.sourceforge.net/docbook/acegi .html/ [sourceforge.net]

2) XML Encryption and XML Digital Signatures. Used in Web Service security or independently.

http://xml.apache.org/security/ [apache.org]

http://ws.apache.org/wss4j/ [apache.org]

3) Container managed security implemented in every servlet container on the market, including tomcat.

In short, I'd like to see a comparison of the features and availablity of what people actually use in their applications, rather than an entirely fudgable comparison of reported/unreported security flaws.

"None are more hopelessly enslaved than those who falsely believe they are free. -- Goethe"

iksrazal

Heh!

[miffo.swe (547642)]

The gall to put into account vulnerabilitys from Microsofts own JWM in a comparison to Microsofts .Net is astonoshing. What a way to belittle your competitor, make crappy implementation of their product and call them unsecure.

I lack words.

Re:Heh!

[cpu_fusion (705735)]

I completely agree. This single point alone screams, "ignore this study! it's biased!"

Either the people writing the study are purposefully distorting their own data, or they are idiots, or both.

Expect more acts of desperation from Microsoft marketing as Java continues to dominate the enterprise server space.

My take on the first 'graph' used

[tod_miller (792541)]

Wow, look at their nice graph will you. Their first graph shows 'vunerabilities found' in Java VM's... nothing mentioned about patches... and 0 in .net...

Now look at this: In this paper we explore the more optimistic hypothesis that .NET's design is fundamentally more secure than Java's

So they have a bent from the start to discredit Java. Onto my point:

Java is 10 years old. There are groups of people looking at Java VM code and multiple versions of VM's, all of which are bunged in here. These 'vunerabilities' are not even reflections on the fundemental paradigm of the Java security model.

This article is FUD, and bad FUD to counter Goslings stand against the 'untrusted code' model of the .Net.

No, quoting JNI is not relevant in that argument because JNI still works within the seucrity model, yet it allows native code to be interfaced with, that is a seperate issue, and akin to making a network call, and running code on another server.

They then mark up 9 security vunerabilities listed with Microsoft 'but because the way they classify them they do not count for this paper' (paper is the new word, because papers sound academic, not like paid research).

There are many possible explanations for the .NET platform's apparent lack of security vulnerabilities.
One possibility is that .NET is a less desirable platform for attackers to compromise than Java so it has
not received the scrutiny necessary to reveal vulnerabilities. This is unlikely, however, since the .NET
framework is now provided as a Windows update. Since Windows has over 90% of the desktop market
with a large number of machines using .NET, the .NET platform presents an attractive target.

Well, yes, windows runs on 90% of desktops, I would say .net runs on 15% of that figure.

From the available information, the one implementation that did have many of its own
unique vulnerabilities was Microsoft's Java implementation,

They even try and discredit sources that go against their ideas. 'from the available information' or is the a way of saying 'this might be worse than we imply'.

I didn't want to dig deeper, I found the single statement copied into a marketting guys website (fuck the word blog) rather twatish of the guy.

This is FUD, yet the people this is aimed at are those who will read the '.Net found to be more secure than Java!!!!111OMGLOL!!' on [insert one of the many microsoft run 'news' farms that are used to infect propoganda into the media].

pteeesh.

To confirm you're not a script,
please type the word in this image: binomial

random letters - if you are visually impaired, please email us at pater@slashdot.org

Re:My take on the first 'graph' used

[MobyDisk (75490)]

This article is FUD, and bad FUD to counter Goslings stand against the 'untrusted code' model of the .Net.

No, your reply is FUD, just like Goslings stuff about untrusted code. I won't waste my time explaining why it was FUD, that was already well-covered in the Slashdot comments [slashdot.org] around that article.

...JNI still works within the security model, yet it allows native code to be interfaced with, that is a seperate issue, and akin to making a network call, and running code on another server.

You just m

It's been done

[Anonymous Coward]

This is news? ONJava [onjava.com] did a detailed, four-part analysis of .Net and Java security a year or so ago:

• Java vs. .NET Security, Part 1 [onjava.com]
• Java vs. .NET Security, Part 2 [onjava.com]
• Java vs. .NET Security, Part 3 [onjava.com]
• Java vs. .NET Security, Part 4 [onjava.com]
• Java vs. .NET Security, Epilogue [onjava.com]

I'm glad the word is getting out

[callipygian-showsyst (631222)]

saying that due to careful design process, .NET presents security advantages over Java platform in several areas

Microsoft did an excellet job with .NET. While we all like to make fun of Ballmer jumping up and down and saying "Developers...", Microsoft actually means it.

Their tools, concepts, and design are *way* ahead of, say Xcode and Objective-C. It's painful for me when I have to do Mac development because everything's so backward.

I would love it if other companies starting implementing C#/.NET/CLR products based on the ECMA standard (unlike Java, C#/.NET has been accepted by a neutral standards committee)...this would prevent Microsoft from changing the language drastically from release to release.

In addition

[doc modulo (568776)]

.NET is Free source (as in free speech, mono or dotGNU)

Java isn't

Re:Just don't put .Net on a network

[dedazo (737510)]

The whole thing used DCOM

That's unfortunate, because .NET does not require DCOM at all.

DCOM uses RPC which means that firewalls have to allow the entire high port range

Yes, well, you can always open DCOMCNFG, switch to the protocols tab, select the TCP/IP entry and set the port range that suits you. Wow.

MS consultant all insisted this was standard and typical

An "MS consultant" told you you needed DCOM to jump over tiers with .NET and failed to tell you that you can select a port range to play nice with your firewall over the DMZ? Crap, I would have called his boss or the TAM at the regional office and have his ass fired.

consultant strongly urged not doing multi-tiered

You know what, while I don't doubt that there's someone dumb enough to recommend something like that out there, I really doubt it was an "MS consultant". Microsoft is moving away from heavy physical tier designs to avoid the wire overhead (which admittedly makes them look slightly stupid after years of telling everyone to use as many boxes as possible), but to recommend running the application and the database server on the same box is just plain retarded. MSCS (or whomever you were supposedly talking to) has some dumb people in the file and rank, but not *that* dumb.

I'm gonna have to call bullshit on your apocryphal story here, unless by "MS consultant" you mean some random dude that has an MCSD and has read "Software Fortresses" five times while moving his lips.

Re:Brr...

[rjshields (719665)]

In what way? In the way that for some bizarre reason I can't port to another platform in the future if I want to?

Take the code and try to compile and run it on Linux. Go on.

In the way that they are telling me what I can and can't do in the future?

I'm merely stating the obvious that seems to have escaped your attention.

I think you may be confusing lock-in with making a choice.

I don't think so.

In that way, whatever platform and development language I choose, I will always be 'locked in' acc

What is with all this willful ignorance?

[tommck (69750)]

MSFT has ported the .NET Framework to FreeBSD themselves!

AND, Mono and .GNU run on many platforms (Linux, Windows, BSD, OSX and Solaris). As long as you don't use System.Windows (the desktop app stuff), you can do cross-platform development in many languages!

I have written GTK# apps in VS.NET and run it on my Windows and SuSE box with ZERO modifications.

If you want to bash something, you should probably learn a bit more about it. That's the reason I read the Bible multiple times: so I can refute Bible thu

Re:Interoperability?

[CrazyLegs (257161)]

Dude.... I gotta comment. I'm a senior architect at a very large multi-national back and I can attest that (in our case):

• Java interoperability is extremely important. It's not about running the same code on different platforms, though. It's more about being able to switch out the platform when we need to (e.g. going from Wintel servers, to Linux and z/OS)
• .NET is not knocking the socks off of Java. They are both shaping up to find their places. In our org, anything we write is Java (any tier, including c

Re:who cares?

[Tarwn (458323)]

There is absolutely no point to .NET when it only runs on windows.

How many companies are purely Windows shops? I would think that given that one fact (and ignoring mono, .GNU, etc) there might be a reason for the existence of .Net.

Don't get me wrong, I'm not a .Net zealot by any measure, though I do write a good bit of it at work. Work being mostly a Windows shop with only two linux boxes and one Mac (compared to 5-600 windows boxes). We don't care if Java works on desktops and servers, we're not going to