Security consultancy @stake has completed a comparative security analysis of Microsoft's .NET Framework and IBM's WebSphere development environment which concludes that Redmond's environment takes less effort to secure.
Although touted as independent the analysis was funded by Microsoft, a point openly disclosed by @stake openly discloses.
For the record, @stake compared Microsoft's .NET Framework Version 1.1, running in Windows Server 2003, and IBM's WebSphere Java 2 Enterprise Edition (J2EE) framework, running in both Unix and Linux environments.
The research shows that while both frameworks provide comprehensive tools and infrastructure for
building secure Web applications and Web services, the .NET Framework on Windows Server 2003 "better complies with security best practices and requires less effort to secure," according to @stake.
"The study is a great resource for software developers who are designing, developing, testing and maintaining the security of their Web applications," said James Mobley, president and CEO, @stake, Inc. "Microsoft has made significant progress on application platform security. Windows Server 2003 and the .NET Framework 1.1 were clearly built with security in mind and received strong ratings from our research team."
@stake is now a key partner of Microsoft and has staff employed in code review for the software giant. It has come a long way since the days when its founders at L0pht poked not-so gentle fun at Microsoft in the tag line to their Web site. (From memory, L0pht had a quote from someone at Microsoft saying "that vulnerability is purely theoretical" with a rejoinder saying "L0pht: making the theoretical possible since 1997").
You want to know more about the tests? Here's what @stake has to say about its study:
To evaluate the platforms, @stake developed a scoring system for calculating "security best practice compliance" and "ease of securing" metrics. When the scores for three scenarios - Web application, Web service and Intranet application - were calculated, the .NET Framework scored higher than WebSphere in both areas by a narrow margin. @stake's findings define the strengths and weaknesses of each framework in relation to feature completeness, level of security provided by default, and the overall level of effort required to bring solutions built on the platforms to a level compliant with security best practices.
@Stake has published a more detailed breakdown of its findings and methodology here.
In fairness to @stake, the report shows that the company has worked hard on the project. But we
wonder if you can ever be objective about security.
Neil Barrett, technical director at UK consultancy Information Risk Management (IRM), says he is yet to see objective measurements on security, although there are objective metrics of usability in computing
IRM has tackled project involving both WebSphere and .NET. .NET projects are encountered far more frequently in IRM's work.
According Barrett, the .NET framework is easier to handle and "more engineered out of box", in common with most Microsoft products.
WebSphere, by contrast, offers more choices. While this may supply more potential for slip-ups, an expert would welcome this increased level of control, make more good choices and end up building a more secure platform, Barrett says.
So while it might, as @stake suggests, be easier for novices to get up to a pretty good level of security using .NET, other tools may be better suited to building a really secure platform.
And @stake's study neglects arguably the most important area in security: the human factor. ®
Windows Server 2003 - Secure by Default
Office workers give away passwords for a cheap pen
People are the biggest security risk
NT4.0 too flawed to fix - official
IT managers trust Microsoft on security...
Too cool for secure code
Open and closed security are roughly equivalent