What about .NET vs Java Security?


 

Interesting stuff, no?

Comments (31)

  1. Ricky Datta says:

    I can assure you that this will not be picked

    up by Slashdot or TheServerSide as it does

    not conform to their reader’s belief system.

    hehe…

    Ricky

  2. AIM48 says:

    This might be the inverse of the IE effect. Since JAVA has been around so much longer (and more widely deployed) It is more of a traget for "Security Researchers and freinds".

    But that might change

  3. murphee says:

    Well well, sounds terrible, doesn’t it? 14 is much higher than 4… boy…

    Of course, what you don’t mention is the fact that the .NET vulnerabilities are all marked much more critical than the Java. (Java: 69 % not critical, 31 % moderately crtical; .NET: 75 % moderately critical, 25 % Highly Critical). One should of course also mention, that this 1 highly critical vulnerability is a *Buffer Overflow* in JPEG Processing code…

    But compare yourself:

    .NET: http://secunia.com/product/667/

    Java:

    http://secunia.com/product/784/

  4. I guess the 31% of Java’s vulnerabilities that are unpatched are the ones that "not critical". I suppose also because there are 14, and not 4, that Sun couldn’t fix them like Microsoft could?

    I guess local system exploits and DoS attacks aren’t really high on Sun’s list of things todo. Neither side is THAT impressive, but it’s nice to know how Sun deals with security problems even if they "seem" minor.

  5. uwe says:

    So this graphs show that Microsoft gives out fewer advisories than Sun. Does it tell something about the applications itself? 😉

  6. Alun says:

    Let’s play math games, then. The Secunia page lists 13% of the Java vulnerabilities as being "Security Bypass", and 25% of the .NET vulnerabilities that way. Looks bad for .NET.

    Hmm… wait a minute, though… 13% of 14 is two (allowing for Secunia’s rounding), 25% of 4 is 1. So, Java has two "Security Bypass" flaws during that time, .NET has one. So, what is murphee trying to tell us with his percentages? That he can play with statistics as well as anyone?

  7. xxx says:

    Alun:

    The numbers are too low to play with percentages. On the other hand, this is telling:

    "Java: 69 % not critical, 31 % moderately crtical; .NET: 75 % moderately critical, 25 % Highly Critical"

    You should also remember that whereas J2EE apps are strong residents in Linux/Unix/Mac and other platforms that are more secure than Windows, Dotnet so far is mainly used in Windows, which everyone knows is riddled with security holes.

  8. dgw says:

    Even while the numbers are too low to be statistically meaningful, let’s do some simple math to make xxx’s point excruciating clear:

    69% Java not critical = .69 * 13 = 9

    31% Java moderately critical = .31 * 13 = 4

    75% .NET moderately critical = .75 * 4 = 3

    25% .NET highly critical = .25 * 4 = 1

    So, ignoring the non-criticals, by Secuna’s definition, we have a ‘criticals’ total of:

    Java: 4 moderately criticals

    .NET: 3 moderately criticals, 1 severely critical.

    Even ignoring the fact that Java is more pervasive than .NET (a sin that the Slashdot crowd does relative to Windows versus the ROW) and that the reports have been coming out over a longer of period of time, .NET seems to be a bit more insecure.

    So what was the point of the original post?

  9. kalim says:

    And check out the IMPACT graph for both – advantage: Java!

  10. Michael Howard says:

    >>So what was the point of the original post

    Very simple – everyone has security bugs, and only Msft admits it!

  11. Jeff says:

    I guess the point I took away was that that assumption about anything Microsoft before the blog seemed to be similar to what xxx says "…which everyone knows is riddled with security hold."

    However, by the end of the discussion, dgw is saying that .NET is "a bit" more insecure and even that is with the caveat that you ignore every security issue that isn’t ‘critical’. (Convenient assumption that, I wonder if that would happen if the numbers were reversed…)

  12. xxx says:

    "However, by the end of the discussion, dgw is saying that .NET is "a bit" more insecure and even that is with the caveat that you ignore every security issue that isn’t ‘critical’."

    You’re confusing .NET with Windows/IIs/IE…..NET is probably just as screwy as the others, it’s just that there aren’t enough data points yet to confirm it – notice that the graph is only for about 1 year.

    The point is, even over that short period, and even granting the fact Java has been here several times longer, Java STILL is more secure than dotnet.

  13. Michael Howard says:

    xxx Dude – i accidently deleted your last post – can you pls repost it?

    thanks!

  14. xxx says:

    Do you really want me to keep "kicking" your butt? 😉

  15. Michael Howard says:

    It’s all in a days work :)

  16. xxx says:

    "Very simple – everyone has security bugs, and only Msft admits it!"

    I’ll hope you’re only kidding here, because that’s the stupidest statement I’ve heard coming from a Microsoft employee. Denying or blinding oneself to the fact that Microsoft Windows or IE or IIs, for example, is a treasure trove of security breaches (even the major news organizations regularly report this because of the severity and potential damage) does NOT inspire any confidence that MSFT is serious about solving these problems…

    SHAME on you, as you are, as you point out, a "security" guy at MSFT!

  17. Michael Howard says:

    Seriously, let’s look at this constructively. Everyone has security bugs, right? We agree on that I hope!

    But where do you hear that anyone but Microsoft has security bugs? We’re actively working on addressing the issue, with time, education, $$, process improvment, better security testing, better libs, better best practice (i could keep going.) And yet, no-one else seems to want to do this work. Why? Beats me, because everyone has security bugs. Am I really that off-base?

  18. xxx says:

    That’s a really simple thing to say and i’m trying not to call you names like "simple simon" (I mean, who else would simply COUNT the number of advisories without looking at the underlying severance and impact of the advisories)…

    Obviously everything has the potential to have security problems…the point is, which ones have the most security bugs and the most critical ones. Your entry actually backfired by showing that in fact Java has a better record on this than .NET.

    Microsoft has rightly been attacked by the press and the public for its poor security record, so you doing a PR on the thing doesn’t really help things – it just shows Microsoft still has not owned up to the fact it needs to do some serious convincing to make the common perception that its products are security sieves go away.

  19. Michael Howard says:

    You dodged my comment/question, no-one else has serious security issues?

  20. xxx says:

    And you obviously don’t understand why people are angry at microsoft since i did answer your question and went beyond:

    other products may have security issues…Java itself may have some real problems…but simply by doing the comparison above you highlight the point that the number and severity and impact of issues will vary from product to product – and the point is that microsoft products seem to be unusually rife with problems that are severe.

    get it now?

  21. Daniel says:

    I think you can’t simply measure the number of (published) security issues.

    The ValidatePath issue in the ASP.Net Code was a really heavy issue. And especially since MS had really trouble with (url)-canonicalization issues in IIS in the path, I think such a mistake should not happen. They should know better.

    Maybe the guy who coded it didn’t read your book;-)

  22. Michael Howard says:

    >>I think such a mistake should not happen

    Totally agree! There’s a full post-mortem underway!

    These are, I’m afraid to say, common industry mistakes:

    PHP: http://secunia.com/advisories/11792/

    Crystal Reports: http://secunia.com/advisories/11800/

    BEA WebLogic: http://secunia.com/advisories/11435/

    Sun JSP: http://secunia.com/advisories/8879/

    Perhaps more people should read the book :)

  23. RedoBlog - De .NET says:
  24. RedoBlog - De .NET says:
  25. SaD J says:

    how many serious java apps vs .NET apps out there?

  26. Ricky Datta says:

    Michael,

    Can you please comment on this :

    http://secunia.com/product/22/

    Why are 26% still unpatched ?

    Not verifiable, not reproducible ?

    btw.. I appreciate what you do for devlopers.

    Thank you.

    Ricky

  27. Ya'akov Yehudi says:

    Microsoft products may have many patches, but those products which do not have serious _unpatched_ vulnerabilities, _cannot_ still be called "riddled with security holes.", as done by xxx.

  28. 厚重之刀 says:

    I think .NET is more safe than Java.