Feeds

.NET ‘more secure’ than WebSphere

Says MS-funded study

  • alert
  • submit to reddit

Next gen security for virtualised datacentres

Security consultancy @stake has completed a comparative security analysis of Microsoft's .NET Framework and IBM's WebSphere development environment which concludes that Redmond's environment takes less effort to secure.

Although touted as independent the analysis was funded by Microsoft, a point openly disclosed by @stake openly discloses.

For the record, @stake compared Microsoft's .NET Framework Version 1.1, running in Windows Server 2003, and IBM's WebSphere Java 2 Enterprise Edition (J2EE) framework, running in both Unix and Linux environments.

The research shows that while both frameworks provide comprehensive tools and infrastructure for
building secure Web applications and Web services, the .NET Framework on Windows Server 2003 "better complies with security best practices and requires less effort to secure," according to @stake.

"The study is a great resource for software developers who are designing, developing, testing and maintaining the security of their Web applications," said James Mobley, president and CEO, @stake, Inc. "Microsoft has made significant progress on application platform security. Windows Server 2003 and the .NET Framework 1.1 were clearly built with security in mind and received strong ratings from our research team."

@stake is now a key partner of Microsoft and has staff employed in code review for the software giant. It has come a long way since the days when its founders at L0pht poked not-so gentle fun at Microsoft in the tag line to their Web site. (From memory, L0pht had a quote from someone at Microsoft saying "that vulnerability is purely theoretical" with a rejoinder saying "L0pht: making the theoretical possible since 1997").

You want to know more about the tests? Here's what @stake has to say about its study:

To evaluate the platforms, @stake developed a scoring system for calculating "security best practice compliance" and "ease of securing" metrics. When the scores for three scenarios - Web application, Web service and Intranet application - were calculated, the .NET Framework scored higher than WebSphere in both areas by a narrow margin. @stake's findings define the strengths and weaknesses of each framework in relation to feature completeness, level of security provided by default, and the overall level of effort required to bring solutions built on the platforms to a level compliant with security best practices.

@Stake has published a more detailed breakdown of its findings and methodology here.

In fairness to @stake, the report shows that the company has worked hard on the project. But we
wonder if you can ever be objective about security.

Neil Barrett, technical director at UK consultancy Information Risk Management (IRM), says he is yet to see objective measurements on security, although there are objective metrics of usability in computing

IRM has tackled project involving both WebSphere and .NET. .NET projects are encountered far more frequently in IRM's work.

According Barrett, the .NET framework is easier to handle and "more engineered out of box", in common with most Microsoft products.

WebSphere, by contrast, offers more choices. While this may supply more potential for slip-ups, an expert would welcome this increased level of control, make more good choices and end up building a more secure platform, Barrett says.

So while it might, as @stake suggests, be easier for novices to get up to a pretty good level of security using .NET, other tools may be better suited to building a really secure platform.

And @stake's study neglects arguably the most important area in security: the human factor. ®

Related Stories

Windows Server 2003 - Secure by Default
Office workers give away passwords for a cheap pen
People are the biggest security risk
NT4.0 too flawed to fix - official
IT managers trust Microsoft on security...
Too cool for secure code
Open and closed security are roughly equivalent

External Links

Security analysis of Microsoft .NET Framework and IBM WebSphere, by @stake (funded by MS) Vs. Passive smoking isn't really harmful, 'independent' study funded by tobacco industry

The essential guide to IT transformation

More from The Register

next story
The Return of BSOD: Does ANYONE trust Microsoft patches?
Sysadmins, you're either fighting fires or seen as incompetents now
Microsoft: Azure isn't ready for biz-critical apps … yet
Microsoft will move its own IT to the cloud to avoid $200m server bill
Oracle reveals 32-core, 10 BEEELLION-transistor SPARC M7
New chip scales to 1024 cores, 8192 threads 64 TB RAM, at speeds over 3.6GHz
US regulators OK sale of IBM's x86 server biz to Lenovo
Now all that remains is for gov't offices to ban the boxes
Object storage bods Exablox: RAID is dead, baby. RAID is dead
Bring your own disks to its object appliances
Nimble's latest mutants GORGE themselves on unlucky forerunners
Crossing Sandy Bridges without stopping for breath
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
BYOD's dark side: Data protection
An endpoint data protection solution that adds value to the user and the organization so it can protect itself from data loss as well as leverage corporate data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?