@stake, Inc., an independent security consulting firm, performed an extensive analysis comparing security in the .NET Framework® 1.1, running on Microsoft® Windows® Server 2003, to IBM WebSphere® 5.0, running on both Red Hat Linux Advanced Server 2.1 and a leading commercial distribution of Unix.® This report gives customers a resource for better understanding the differences between the leading application platforms and for guidance on best security practices.
Overall, @stake found that:
Both platforms provide infrastructure and effective tools for creating and deploying secure applications
The .NET Framework 1.1 running on Windows Server 2003 scored slightly better with respect to conformance to security best practices
The Microsoft solution scored even higher with respect to the ease with which developers and administrators can implement secure solutions
The overall differences between the platforms were not large. Based on the results of this study, companies should feel comfortable deploying web and web service applications on WebSphere and on Windows Server 2003 with .NET Framework. In addition, our analysis shows that with appropriate processes and training, applications created for the Microsoft solution can be made as secure as those created for IBM WebSphere.
As a result, @stake recommends that:
Development organizations that are experimenting with Microsoft Windows Server 2003 and .NET Framework should not allow security concerns to hold back deployments
Companies that have made strategic commitments to either platform need not switch solely on the basis of security
Companies seeking to standardize on a web application platform will derive significant security benefits from both, but may find the Microsoft solution easier to secure initially
The balance of this section provides an overview of @stake’s methodology, findings, and conclusions.