This document reviews security features of two most popular modern development platforms--Java and .NET (Java v1.4.2/J2EE v1.4 and .NET v1.1). The platform choice is not random, because they represent, to a certain extent, competition between UNIX-like and Windows systems, which largely defined software evolution over the last decade. Although Java applications run on Windows, and there exist UNIX bridges for .NET, the Java/UNIX and .NET/Windows combinations are used for development of a significant portion (if not majority) of applications on their respective operating systems, so both platforms deserve a careful examination of their capabilities.
Such an examination is especially important since different aspects of UNIX/Windows and Java/.NET competition have been flaming endless heated debates between proponents of both camps, which often blindly deny merits of the opposite side while at the same time praising their preferred solution. The material here is purposely structured by general categories of protection mechanism and reviewing each platform$B!G(Bs features in those areas. This allows starting each topic with a platform-neutral security concept and performing relatively deep drill-downs for each technology without losing track of the overall focus of providing an unbiased side-by-side comparison.
The document is based on the research material that was used as a foundation of the feature article, "Securing .NET and Enterprise Java: Side by Side", which was written by Vincent Dovydaitis and myself and appeared in Numbers 3-4 of Computer Security Journal in 2002. The following areas will be considered:
A practical guide for comparison and contrast of security features offered by Enterprise Java and .NET platforms.
The description above is quite an understatement. Even the full description does not do this book justice. Java vs. .NET Security is one of many keys to security but is more specific about benefits of one platform over the other in specific circumstances. It is a good way to improve the security experience of experts. Even experts should consider the price a steal if their security collection is to be thorough. Beginners beware. This is a high level book of comparison concepts of the two major platforms. You will know in the 'Introduction: Philosophy' if this book is for you.
The book sticks to the traditional definition of security and not the all inclusive one. A number of the learning issues are explained in a series of back and forth comparisons of the security of one platform versus the other. You need some fundamental understanding of the two platforms to keep everything clear. Advanced platform knowledge is desirable and almost a must.
My experience agreed with almost everything written. I am a member of a user group with a specialty in security. We work with concepts and code like this every month. Most members are developers and deal with this every working day. I appreciate the detailed and thorough comparisons.
The topics start with an Introduction, then moves to Security Configuration and Code Containment, then Cryptography and Communication, then Code Protection and Code Access Security, then User Authentication and Authorization, then the Conclusion and Summary. Upcoming Security Features is very interesting. For some reason, the author covers two sets of major issues in each chapter. This book is complex and I would have made 10 chapters instead of five plus the Introduction and Upcoming Security Features.
The 5 chapters are written very thoroughly. I like that about this book. Explanations of history and trivia are all over the place but probably necessary. The figures are good and useful in the explanation of the concepts. The code is usually more than a few lines, but this is a more complicated book and requires it.
The topics are useful and helpful in just about any platform. The specific comparisons are right on the money. .NET wins by a hair in the overall comparison but some of the specific comparisons make Java more desirable in certain circumstances.
I thought the discriminations made about the two platforms went from general to specific in a hurry. Even so, the book is pretty long and needs to be digested in discrete chunks. No way to read this in one evening. I learned speed reading in grade school and have practiced through my lifetime. I tried it on one chapter, but there is no way to digest the concepts and comparisons that fast, at least for me. This is valuable knowledge worth your time to read and digest as thoroughly as possible.
The book is in .PDF format. I like that feature. You can buy this online through the O'Reilly shopping cart and then download it.
The 80+ pages were not easy to read and understand. I read it in one week. There were a few typos and grammar errors, but not very many. The book is for someone who is an expert and needs to know the specific times when one platform has even a slight benefit over the other. More experienced people should look it over to make sure they are up to speed with this author.
I would give this book 5 out of 5 stars. Definitive!!!!!
Frederick J Eccher Jr
M.S. Management of Information Systems
President, Board of Directors, Saint Louis Visual Basic Users Group