In the latest salvo in the Web services platform wars, Microsoft Corp. this week will announce that a major security company has found its .Net Framework better than IBMs WebSphere for building and deploying secure Web applications and services.
The report, prepared by @Stake Inc.—and commissioned by Microsoft—said both platforms provide the necessary tools and infrastructure to build secure applications but that .Net Framework is superior to WebSphere in the areas of ease of securing applications and SOAP (Simple Object Access Protocol) security.
@Stake, of Cambridge, Mass., is set to release the report at Microsofts Tech Ed conference in Dallas, sources said. In the report, @Stake said that “Microsoft engaged @Stake” to do the competitive security analysis. The security consulting company said it spent more than 1,500 man-hours on the analysis and applied more than 100 test cases to both technologies.
Neither Microsoft nor IBM had a hand in the testing, according to @Stake officials. “We went to great lengths to remain independent on this,” said Lona Therrien, an @Stake spokeswoman. “Microsoft had absolutely no input on the way the tests were done. We did everything on our own.”
The tests compared .Net Framework 1.1, running on Windows Server 2003 and Microsoft SQL Server 2000 for .Net Framework as its database, with an IBM platform of WebSphere Application Server 5.0, on both Linux and Unix, running Java 2 Platform, Enterprise Edition and DB2 7.2 on the back end. @Stake used Microsofts Visual Studio .Net 2003 as the development tool for the Microsoft configuration and IBMs WebSphere Studio Application Developer 5.0 as the development tool in the IBM configuration.
According to the report, .Net beat WebSphere in terms of compliance with best practices and the effort required by a developer to secure applications. Microsoft, of Redmond, Wash., also scored better than IBM, of Armonk, N.Y., in terms of application logging services, integration of Web server security with the application server, validation of user-submitted input and Web services support.
WebSpheres architecture, which includes a number of pieces not developed by IBM, makes it more difficult to secure, according to the report. “Because of the number of moving parts, the security model is more complex,” the report said. “IBM should do more to decrease the level of effort required by developers to write secure WebSphere code.”
IBMs strengths are its mature role-based access control model, validation of SOAP data, excellent separation of security policy from implementation, effective session management and use of open-source technology, the report said.
Although .Net rated higher, the “differences were not large,” the report said. Yet, “companies may find the .Net Framework to be an easier Web application platform to secure initially.”
Microsoft officials did not respond to requests for comment by press time. IBM officials said they could not comment because they had not yet seen the report.
Developers, for their part, said studies dont play a big role in the buying process. “I formulate my opinions based on real-world experience or ask the advice of people who have used something I have not, who I trust,” said Stephen Forte, chief technology officer at Corzen Inc., in New York.
Additional reporting by Dennis Fisher
More on .Net and WebSphere: