The security research and consulting firm, @Stake, recently released a Security Evaluation of the MS .NET framework and IBM's Websphere as platforms for secure web application development.
The report is favorable towards .NET, giving it the edge over WebSephere, which has a lot of tongues wagging in the security community. One- because the report was reportedly "commissioned by Microsoft" and two- because @Stake started out as vulnerability exposer The L0pht, a team that pledged to prove theoretical vulnerabilities real, especially MS vulnerabilities. For historical reference, The L0pht were the authors of L0phtCrack a tool that sniffed the network for NTLM (NT LAN Manager) password information and decrypted it.
So is the report skewed? Does MS' payment for the report's work mean that it's tainted? Only @Stake's hairdresser knows for sure. But my interpretation of the the report's findings is is that .NET is easier to secure, especially for application developers that aren't well versed in security, because it comes out of the box with less moving parts and a friendlier development environment. Simply put, it's easier to use and harder to mess up.
But that doesn't mean WebSphere isn't a very valid platform to development that can be used to make secure applications, just that it may require more knowledge. Is that a bad thing? Not really, web application developers ought to have knowledge of basic InfoSec in order to write secure apps. That they often don't is a sad reality though.
So take a look at the report and draw your own conclusions. Any web application developers that want to send me their own feedback on the two platforms are welcome and encouraged to do so.
Posted by Diana at June 5, 2003 07:39 AM