Comparison of Java and .NET security 461
prostoalex writes "The Computer Science Department at the University of Virginia has published a comparative study of security in Java and .NET in Portable Document Format. DevMktg blog on MSDN summarizes the findings saying that due to careful design process, .NET presents security advantages over Java platform in several areas." From the article: "Where Java evolved from an initial platform with limited security capabilities, .NET incorporated more security capability into its original design. With age and new features, much of the legacy code of Java still remains for backwards compatibility including the possibility of a null SecurityManager, and the absolute trust of classes on the bootclasspath. Hence, in several areas .NET has security advantages over Java because of its simpler and cleaner design."
Re:Had to switch from Java to .NET (Score:1, Insightful)
Re:Except... (Score:1, Insightful)
Re:Difference in ages (Score:5, Insightful)
Brr... (Score:1, Insightful)
.NET? Is this thing still around? (Score:3, Insightful)
They looked at Java and improved it! (Score:5, Insightful)
It feels like they looked at Java and stripped out the bad and produced easy to use clean languages. The first things that spring to mind:
* Easier exception handling.
* Transparency with the whole string class/primitive issue.
* Really easy to create and catch events.
The Visual studio IDE however! Piece of HTML mangling non XHTM compliant &*$£
Re:Difference in ages (Score:3, Insightful)
Over the years I've seen many remarkable architectural designs, including the Windows NT Security Model (back when NT meant New Technology), which were thought to be ideal. 11 years on, no one could seriously claim that the Windows security model is ideal.
Source code access (Score:5, Insightful)
Furthermore, 10 of the remaining 35 vulnerabilities were discovered and fixed in the first six months after the initial Java release. I consider that quickly-fixed flaws in a young product.
So, we're left with 25 vulnerabilities found in a mature product, between 2 and 3 every year. Not quite pretty, not quite a disaster either.
Now, question is, why are there no vulnerabilities discoveries in the
However, they fail to assess any impact the availability of Java source code might have on finding vulnerabilities and fixing them. The whole source code for the JVM is available (free as in beer), anybody can have a look once they register with Sun. I don't know if the same applies to the
So, availability of source code might be enough to generate two or three vulnerability discoveries per year.
Note that I'm not saying that there are six to nine vulnerabilities yet to be discovered in
Mod parent down (Score:1, Insightful)
Re:.NET? Is this thing still around? (Score:5, Insightful)
hardly objective (Score:4, Insightful)
Security is not something you just switch on in a project. You design your project from the ground up to have security features. Both Java and
Javas security features are designed through the JCP process in which a broad range of industries and individual experts have been and continue to be involved. Indeed some of the older security features come from the earlier JDK versions developed by SUN. Overall I trust this process more than I trust the microsoft process which when it comes to security has received a lot of criticism over the past few years.
1 point for .net, -10 for Windows (Score:1, Insightful)
How far does that get you?
blah... flawed logic (Score:5, Insightful)
However, this study is flawed.
Re:They looked at Java and improved it! (Score:3, Insightful)
Re:Yeay! Security plus portability minus cost... (Score:3, Insightful)
>.NET: price: free, You only need to have Windows
>2003 Business Server for serious work
>portable: it runs on many systems, like
>Windows and
mono and
You shouldn't look at anything older that windows2 000 though..
>IDE: brilliant Visual Studio, unfortunatelly
>no plugins
really now. They are called 'add-ins'.
>Java: price: free, well it is free
Sure, but not as in beer. Can I independently create my own JVM and distribute it?
>secure: most likely as secure as Your application
Sure, you can always trust the developer.
>speed: a bit clumsy, but hey, almost all >1GHz
>desktop PC can run Java application in very
>responsive manner (Eclipse, Netbeans, Azureus,
>etc.)
Sure. So if i want speed i should just add more machines.
>IDE: Eclipse and/or Netbeans ROCKS!
and all that in a very slow manner indeed..
Re:blah... flawed logic (Score:5, Insightful)
Re:Professionals use C for everything (Score:1, Insightful)
It is complex indeed. Which is not good. It is the cause for many errors which are hard to find. (Strings in C are about the worst you can get.)
Professionals who use C for everything should be fired because they should use a language suitable for the task instead.
Heh! (Score:5, Insightful)
I lack words.
Re:blah... flawed logic (Score:5, Insightful)
And this is why the comparison is wrong. It does not compare them "now", it compares them "overall". Do you care about ten-years-old flaws that were quickly fixed and have not bothered anyone since then? I think not. Do you care about flaws in a special vendor version that no sane person uses now? I think not. Would you be interested in knowing that the above-mentioned flaws were created by the very vendor the proprietary technology of whom you are trying to evaluate? I think you should.
What should interest you is how many security issues are found per year. The article lets you learn that (even though it doesn't explicitly do the math for you). What should also interest you is how the Java community and Sun reacted to the flaws, how fast and how well they were fixed. The article is tight-lipped about that.
Actually, since no flaws have been found for
(And actually, there have been flaws, but the authors of the study chose to ignore them, see appendix A for why. Unfortunately, there's no appendix B for how they chose the Java flaws.)
Re:Source code access (Score:2, Insightful)
Oh wait... you have it on good authority from an unnamed source that MS uses "pretty much all of it". Hardly a good basis for discussion.
Sorry.
Re:Source code access (Score:2, Insightful)
----------
<sarcasm>
But other than all that... it's a pretty good match!
</sarcasm>
Sheesh.
Re:.NET? Is this thing still around? (Score:4, Insightful)
Speaking of abuse, pretty much every language can be abused to no end. Java is no exception. It won't stop you from making public fields, for example, which is generally considered a bad thing to do. Nor will it limit write access to them from outside the class (in contrast to Eiffel, where public fields are read-only from outside). The whole type system is a big mess as well (int vs Integer, anyone? and now with autoboxing?).
Re:Heh! (Score:3, Insightful)
Either the people writing the study are purposefully distorting their own data, or they are idiots, or both.
Expect more acts of desperation from Microsoft marketing as Java continues to dominate the enterprise server space.
Re:Difference in ages (Score:2, Insightful)
Re:Had to switch from Java to .NET (Score:2, Insightful)
VS.Net 2003 has lots of issues, certainly around web projects. It sure lacks refactoring, and it does not highlight errors without a compile.
All Java advocates here are shouting Eclipse, but the Java pro's I work with use IntelliJ. Sometimes paying for something is better.
VS 2005 has impoved alot, and for doing
I'm downloading Eclipse now to take a look at it again, but if its the usual Java sluggish/ugly normal Java client stuff we are used to then I won't be using it for very long.
Re:Just don't put .Net on a network (Score:1, Insightful)
By MS consultant I mean he was a Microsoft employee from their professional services division acting as a consultant to help resolve issues with the application. So call bullshit all you want.
Yes, we restricted the port ranges but guess what? When you do that on a SQL server box it crashes under load and MS was never able to resolve the issue. These was true even if the restricted range was very large or very small.
Where did I ever say "one box"? I said flat which means in one network segment.
As I said in my first post, "there may be a better way to implement .Net". I guess it would have been too much for someone to just post information instead of resorting to calling me a liar. :)
Re:Nonsense, utter nonsense (Score:3, Insightful)
Inheritance (at least single-inheritence) is easy in C, you can just create the first member of your object (struct) be an instance of another object. Thus, you can cast up (by dereferencing that member), the only difference being that the cast up is explicit (not necessarily such a bad thing!). And you can cast down implicitly by using casted function pointers that take the subclass pointer (works because it is the first member in the struct).
As for encapsulation, you get that in C simply by encapsulating all you want in the same module. Hiding the data and code you want in the C side and exposing what you want in the H side. Sure, you can't enforce the hiding the private data in your struct, but you can hide it by convention.
Also note that in C++, you can't really enforce the data hiding either, i.e:
#define private public
#include "some_class.h"
Interoperability? (Score:1, Insightful)
If you look at the statistics Windows 2003 server is really catching on with businesses, that advances the
There's this thing called XML web services, if you've been living under a rock or just plain closed your eyes to the real world this means that you can communicate with any system, so Java as a web platform has lost its major advantage it once had over MS products.
In fact, the ease of installing a server, the cleanness of
That is why
For client side apps java is still the winner for multiplatform... but outside of handhelds it's largely irrelevant b/c Windows dominates the desktop market.
Re:They looked at Java and improved it! (Score:3, Insightful)
Jeremy
Re:Totally bogus (Score:3, Insightful)
Comparing this security to a native Java app is like comparing a Java app with JNI calls to an exiting C or C++ app. The code is only as secure as the other code it is trusting.
Apples and Oranges
P.S. Your last analogy makes no sense whatsoever
Re:who cares? (Score:3, Insightful)
How many companies are purely Windows shops? I would think that given that one fact (and ignoring mono,
Don't get me wrong, I'm not a
And as far as running cel phones to an existing application, we decided to go the web-based route. There is no Java front-end or back-end requirement. Hell, you could easily have a Java front-end and C# back-end if you wanted, but we went with html front-end and C# back-end (though I was pushing for PHP
And if you work in a mixed shop tat does require application functionality that is exactly the same across multiple platforms, I can see your point. However, in a Microsoft house you have the option of choosing your tools to fit the job. Maybe Java will be the best fit or maybe
Re:My take on the first 'graph' used (Score:3, Insightful)
It's actually good to do it that way because you can't do research until you have a hypothesis, otherwise you don't know what you are measuring. You have to establish that basis before doing the research, not after.
One last personal request: Using bold all over the place at random looks kinda like USING LOTS OF CAPS and doesn't help make a point. I recommend using bold on no more than one or two words in a paragraph.
Re:Had to switch from Java to .NET (Score:2, Insightful)
It seems most moderators haven't heard of it either, as nobody modded you up yet.
I am Eclipse/Java guy now working on a VS C# project. Anyone who thinks VS is great please tell me how to do these automatically in VS.Net 2003 (I am admittedly a novice with the VS interface, so I am hoping these things are actually doable):
In addition (Score:3, Insightful)
Java isn't
Good try, but no (Score:2, Insightful)
Re:.NET? Is this thing still around? (Score:2, Insightful)
Re:.NET? Is this thing still around? (Score:4, Insightful)