@stake Announces Results of its Security Analysis of Microsoft .NET Framework and IBM WebSphere.Business Editors CAMBRIDGE, Mass.--(BUSINESS WIRE)--June 3, 2003 Digital security consulting firm Noun 1. consulting firm - a firm of experts providing professional advice to an organization for a fee consulting company business firm, firm, house - the members of a business organization that owns or operates one or more establishments; "he worked for a @stake, Inc., today announced the results of its independent security analysis of two environments for building and deploying Web-based applications and XML XML in full Extensible Markup Language. Markup language developed to be a simplified and more structural version of SGML. It incorporates features of HTML (e.g., hypertext linking), but is designed to overcome some of HTML's limitations. services -- Microsoft's(R) .NET Framework Version 1.1, running in Windows(R) Server 2003, and IBM's WebSphere(R) Java(TM) 2 Enterprise Edition (J2EE (Java 2 Platform, Enterprise Edition) A platform from Sun for building distributed enterprise applications. J2EE services are performed in the middle tier between the user's machine and the enterprise's databases and legacy information systems. ) framework, running in both Unix(R) and Linux environments. The analysis, which was funded by Microsoft, was performed with no assistance from any of the vendors involved. The research shows that while both frameworks provide comprehensive tools and infrastructure for building secure Web applications and Web services (1) Loosely, any online service delivered over the Web. Such usage appears in articles from non-technical sources, but not in IT-oriented publications, because definition #2 below describes the correct use of the term. , the .NET Framework on Windows Server See Windows Server 2008, Windows Server 2003, Windows Home Server, Windows 2000 and Windows NT. 2003 better complies with security best practices and requires less effort to secure. To evaluate the platforms, @stake developed a scoring system Noun 1. scoring system - a system of classifying according to quality or merit or amount rating system classification system - a system for classifying things for calculating "security best practice compliance" and "ease of securing" metrics. When the scores for three scenarios -- Web application, Web service and Intranet application -- were calculated, the .NET Framework scored higher than WebSphere in both areas by a narrow margin. @stake's findings define the strengths and weaknesses of each framework in relation to feature completeness, level of security provided by default, and the overall level of effort required to bring solutions built on the platforms to a level compliant with security best practices. "The study is a great resource for software developers who are designing, developing, testing and maintaining the security of their Web applications," said James Mobley, president and CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. , @stake, Inc. "Microsoft has made significant progress on application platform security. Windows Server 2003 and the .NET Framework 1.1 were clearly built with security in mind and received strong ratings from our research team." Research Methodology Using unique skills, tools and methodologies developed by its Application Center of Excellence and its Attack Simulation Center of Excellence, the @stake team created a comprehensive methodology for assessing the security features included with standard deployments of Windows Server 2003 with the .NET Framework 1.1 and IBM (International Business Machines Corporation, Armonk, NY, www.ibm.com) The world's largest computer company. IBM's product lines include the S/390 mainframes (zSeries), AS/400 midrange business systems (iSeries), RS/6000 workstations and servers (pSeries), Intel-based servers (xSeries) WebSphere on Unix and Linux. To ensure objectivity, security analysts at three industry research firms validated the methodology and reviewed the comparative strategy. @stake analyzed the level of effort required to minimize all inherent attack surfaces present in out-of-the-box installations of the 1) Host/Operating systems, 2) Web Servers and 3) Application Server environments. For each platform, @stake defined these three high-level categories, each with several major areas of analysis. The 16 areas of analysis, including communications security See COMSEC. , cryptography, Web services security, authentication, information disclosure and session management, were further broken down into 45 distinct topics. Each topic contained a set of best practices that defined the security benchmark for the area, based on security features that are frequently implemented incorrectly. @stake defined sixty-seven host and application security best practices in total, such as user data input validation, executing code with least privilege A basic principle in information security that holds that entities (people, processes, devices) should be assigned the fewest privileges consistent with their assigned duties and functions. , and opaque and unpredictable session identifiers. Finally, each best practice included test cases designed to measure each platform's compliance. 103 test cases in total were defined. To score the best practices and test cases, @stake developed a scorecard. The scorecard quantifies each platform's compliance with best practices and the level of effort required to implement an application using best practices. The level of effort is based on the effort associated with completing each test case. Each platform was rated on a score of one to five (five being the best). Level of effort included implementation complexity, quality of available documentation and sample code made available from the vendors, developer administrator skills needed and time required to implement. For more information on the methodology, scoring and findings from this independent study, download a copy of the executive summary or full report at www.atstake.com. About @stake, Inc. @stake, the premier digital consulting firm, provides security services Security services are state institutions for the provision of intelligence, primarily of a strategic nature, but also including protective security intelligence. Examples include the Security Service (MI5) and the Secret Intelligence Service (MI6) in the United Kingdom, and the and award-winning products to assess and manage risk in complex enterprise environments. The company's SmartRisk services cover key aspects of security, including applications, critical infrastructure, wireless and wired networks, storage systems, education, and incident readiness. @stake consultants combine technical expertise with a business focus to create comprehensive security solutions for industry leading companies in financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. , information technology, energy & utilities, healthcare, and telecommunications. As the first company to develop an empirical model that measures Return On Security Investment (ROSI ROSI Return on Security Investment ROSI Repository of Student Information ROSI Rollergirls of Southern Indiana (Evansville, IN) ROSI Raytheon Optical Systems Incorporated ROSI Romanian Open Source and Free Software Initiative ), @stake keeps security investments in line with business requirements. Headquartered in Cambridge, MA, @stake has offices in London, New York New York, state, United States New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of , Raleigh, San Francisco San Francisco (săn frănsĭs`kō), city (1990 pop. 723,959), coextensive with San Francisco co., W Calif., on the tip of a peninsula between the Pacific Ocean and San Francisco Bay, which are connected by the strait known as the Golden , and Seattle. For more information, go to www.atstake.com. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. WebSphere is a registered trademark of IBM Corporation in the United States, other countries, or both. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product and service names may be trademarks or service marks of their respective owners. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion