Feeds

.NET ‘more secure’ than WebSphere

Says MS-funded study

  • alert
  • submit to reddit

Next gen security for virtualised datacentres

Security consultancy @stake has completed a comparative security analysis of Microsoft's .NET Framework and IBM's WebSphere development environment which concludes that Redmond's environment takes less effort to secure.

Although touted as independent the analysis was funded by Microsoft, a point openly disclosed by @stake openly discloses.

For the record, @stake compared Microsoft's .NET Framework Version 1.1, running in Windows Server 2003, and IBM's WebSphere Java 2 Enterprise Edition (J2EE) framework, running in both Unix and Linux environments.

The research shows that while both frameworks provide comprehensive tools and infrastructure for
building secure Web applications and Web services, the .NET Framework on Windows Server 2003 "better complies with security best practices and requires less effort to secure," according to @stake.

"The study is a great resource for software developers who are designing, developing, testing and maintaining the security of their Web applications," said James Mobley, president and CEO, @stake, Inc. "Microsoft has made significant progress on application platform security. Windows Server 2003 and the .NET Framework 1.1 were clearly built with security in mind and received strong ratings from our research team."

@stake is now a key partner of Microsoft and has staff employed in code review for the software giant. It has come a long way since the days when its founders at L0pht poked not-so gentle fun at Microsoft in the tag line to their Web site. (From memory, L0pht had a quote from someone at Microsoft saying "that vulnerability is purely theoretical" with a rejoinder saying "L0pht: making the theoretical possible since 1997").

You want to know more about the tests? Here's what @stake has to say about its study:

To evaluate the platforms, @stake developed a scoring system for calculating "security best practice compliance" and "ease of securing" metrics. When the scores for three scenarios - Web application, Web service and Intranet application - were calculated, the .NET Framework scored higher than WebSphere in both areas by a narrow margin. @stake's findings define the strengths and weaknesses of each framework in relation to feature completeness, level of security provided by default, and the overall level of effort required to bring solutions built on the platforms to a level compliant with security best practices.

@Stake has published a more detailed breakdown of its findings and methodology here.

In fairness to @stake, the report shows that the company has worked hard on the project. But we
wonder if you can ever be objective about security.

Neil Barrett, technical director at UK consultancy Information Risk Management (IRM), says he is yet to see objective measurements on security, although there are objective metrics of usability in computing

IRM has tackled project involving both WebSphere and .NET. .NET projects are encountered far more frequently in IRM's work.

According Barrett, the .NET framework is easier to handle and "more engineered out of box", in common with most Microsoft products.

WebSphere, by contrast, offers more choices. While this may supply more potential for slip-ups, an expert would welcome this increased level of control, make more good choices and end up building a more secure platform, Barrett says.

So while it might, as @stake suggests, be easier for novices to get up to a pretty good level of security using .NET, other tools may be better suited to building a really secure platform.

And @stake's study neglects arguably the most important area in security: the human factor. ®

Related Stories

Windows Server 2003 - Secure by Default
Office workers give away passwords for a cheap pen
People are the biggest security risk
NT4.0 too flawed to fix - official
IT managers trust Microsoft on security...
Too cool for secure code
Open and closed security are roughly equivalent

External Links

Security analysis of Microsoft .NET Framework and IBM WebSphere, by @stake (funded by MS) Vs. Passive smoking isn't really harmful, 'independent' study funded by tobacco industry

Secure remote control for conventional and virtual desktops

More from The Register

next story
HP busts out new ProLiant Gen9 servers
Think those are cool? Wait till you get a load of our racks
Like condoms, data now comes in big and HUGE sizes
Linux Foundation lights a fire under storage devs with new conference
Silicon Valley jolted by magnitude 6.1 quake – its biggest in 25 years
Did the earth move for you at VMworld – oh, OK. It just did. A lot
Community chest: Storage firms need to pay open-source debts
Samba implementation? Time to get some devs on the job
Forrester says it's time to give up on physical storage arrays
The physical/virtual storage tipping point may just have arrived
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?