Why are many of the banking sites implemented in Java rather than .NET?

Question

We are developing an application for a banking client which includes transactions and the site should be very secure. The business process is finalized. Then we decide on the technology.

We suggested .NET 3.5 framework with C#. The client replied for security reasons and ease of use we are going to Java. Also many of the banking sites are developed in Java eg: Bank of california https://banking.uboc.com/UBOC/Banking/SignOn.jsp

I dont know: is .NET not secure? Why are many banking sites are developed in Java rather than .net or some other technologies?

Answer 1

I don't think it's anything to do with one being more secure than the other.

More likely just that Java has been around longer and until .Net was considered mature most of these applications would have been written in Java. As banks are typically pretty conservative with their software Java would look like a safer choice.

That being said, I have worked for a bank that was writing a lot of software, mostly customer facing stuff, in .Net.

Answer 2

Two major factors:

• Java has been around for significantly longer:
  • Banks have had longer to get Java through the many hoops their systems/IT/security departments will put up.
  • Inertia: If banks already have systems in Java, it's reasonable to stick with it - you already have in-house development skills; interoperability is likely to be easier; fewer new deployment issues etc.
• Java is more cross-platform than .NET. There's Mono, but I suspect many banks may be somewhat suspicious of that as a platform to bet their business on. Likewise I suspect many banks don't want to tie themselves to Windows as a server platform.

Note that I'm not saying banks don't use .NET - just that there are reasons why some of them may not want to.

Answer 3

I've worked for one of the larger banks, and the web site we built (internal CRM, not public facing) was done in ASP.NET

blanket statements like "X is more secure than Y" most often really mean "we have people that know/like X and don't know/like Y"

the language you program the web site in is not the main source of security risks!

Answer 4

Its hard to take a single data point and extrapolate from it. As a counterpoint - US bank appears to be running Coldfusion (.cfm - unless I am mistaken in my extensions).

This client may have simply meant they have sysadmins experienced with running a java stack vs a .NET stack. The person in charge may have simply made a judgement call based on what he knows/she knows. Its difficult to tell from just that statement.

If it is true that banks tend to run on Java, then it may just be a crowd thing - everyone else is doing it so better not risk doing something different - one more thing to point to if something bad does happen.

If you are curious (and you have a more than passing relationship) why not simply ask them how they arrived at that conclusion? If nothing else its a good chance to learn something.

Answer 5

(Disclaimer: this is my personal opinion, which may be wrong.)

1) .NET is owned by Microsoft, and it's support is actually pathetic. (Remember when they refused to fix String.IsNullOrEmpty in VS 2005?) On the other hand, Java is not owned by Sun (they only own the trademark). Many vendors in the community support Java, and even release their own JREs and JDKs (e.g. IBM and Oracle).

2) Java's source code has been available for years. Security issues are rare and unexpected. Additionally, you get the security of running Java on a *NIX system.

3) The performance of the Java VM for many basic operations is better than their .NET equivalents. [personal impression based on personal measurements; citation needed]

4) The Java Community Process involves more than 16 vendors, who collectively drive new versions of Java. In contrary, .NET is only driven by Microsoft.

5) The availability of open-source Java libraries is huge. This is no where to be compared with .NET (AFAIK).

5) Does anyone really trust Windows as a platform for such important applications? If I were a bank, I'd use Solaris (or OpenBSD if I could).

Answer 6

Two are the reason/facts I've seen.

1. The Java platform is more mature and has been around for more years.
2. Enterprises whose server preference is a UNIX machine like THIS ONE!!! don't use .NET

About the first, it doesn't imply .NET is not mature enough, just, that Java came first.

About the second. Yes there's Mono, but seriously; If you have a .NET mission critical app, Would you run it on your Windows Server? Or in Linux machine running Mono?

:)

Answer 7

Working as a Java developer in the banking sector for a few years, I have seen many more Unix servers (Solaris, HP-UX, AIX) than Windows servers. I have also seen many different application servers in use (WebLogic, Jboss, WebSphere, ...).

I think that when you have mission critical applications, having choice is a must have. As far as I know, if you want to deploy .NET applications, it is on a PC, on Windows, with a Microsoft Application Server. On the Java side, you can choose which hardware, which OS, which application server... That means that you have far less chance to get screwed by a vendor.

Answer 8

To some extent it's a function of who they hired to do their site. HSBC hired IBM - so their platform is Java on WebSphere.

Answer 9

Amongst financial software, there indeed seems to be a preference for using Java. As mentioned in this thread before, one of the relevant arguments is indeed the competences of the developers/firms hired to do the job. At least in our neck of the woods that boils down to Java on WebSphere.

Security - which has also been mentioned - IMHO is not a relevant argument. Today, it is as hard to code a secure application and build up secure infrastructure on a *nix/java stack as it is on a windows/.net stack. How hard exactly, has much to do with developer and sysadmin experience. Honestly, -and I am a *nix/java guy- I have seen quiet a lot of plain insecure *nix/java based applications, just as I have seen people building a really secure windows/.net based application.

Choice of runtime environments is indeed a lot wider, and some runtime environments have the added benefit of being open source (which, in my experience, can speed up development targeted at these environments as wel as improve security planning and implementation)

Finally, I see two more historical reasons why financial institutions tend to favour the *nix/java stack.

Until the advent of Windows 2000 datacenter edition (and even after that to some extent), if you wanted big boxes (which financial institutions did), you'd have been tied to Unix machines. Buying such big boxes and putting them to use is rather large an investment. Obviously, once you've done that investment, you become a little more reluctant to change.

Next there is the reason of legacy systems (think for example the IBM mainframes), present at various financial institutions, for which the vendors have strong ties to the Java ecosystem (think IBM again).

Answer 10

I've developed and maintained the trade processing system for one of the largest banks in the world and the technology was Java. There were 2 reasons why the bank's IT teams chose Java over .NET

• Choice of the server hardware and software stack. For scalability, failover and security reasons, banks choose Linux/Solaris servers over Windows servers.

• Choice of the application server. Banks generally buy server products off the shelf from big companies like IBM and/or Oracle (BEA).

Plus add to the fact that Java has been around longer than .NET and there is a huge community built around the Java programming language that build a whole lot of products ranging from simple APIs to complex server and database management.

Answer 11

As well as the comments above, I'd assume the Sun server technology has a lot to do with it, and Solaris too. The hardware (Blade/Sparc) is particularly well known for its resilience and scalability.

Answer 12

Wanna know the real reason.....politics. The people in charge at the moment like Java. That's the whole reason. In large banks there is a lot of jockeying around which products are used and which company has influence over people making the decision. Rarely it is ever about which is truly the better product....it's about money. Some of it is about what is a good fit, but it is rarely the sole deciding factor. It all comes down to the bottom line. The real one that's reported on the financial reports and the stock holders see.

The reason: in the long run it's cheaper for them to choose a product which costs a little less and is harder for the IT staff to implement (Think 100 dollars a user times 1000 or 10,000 users and you see how it starts to add up. Large banks never pay market price). Why you ask, easy, because they are going to have IT staff to implement it in a certain time frame. Most employees aren't hourly, so a few extra hours doesn't cost them anything. Also the consultants they hire to get the job done will work at a reduced price, because being on a banks accepted vendor list is like gold, and any company selling IT services like consulting wants to be on it. It's like getting a pass to an exclusive party.

Both .Net and Java can do the same thing roughly, so it depends normally (on large banks) on which salesperson is more influential. Most of the time I have seen it go between Microsoft and IBM.

The key thing you have to realize about banks is that they make money....lots of money. Unless they do something really stupid (like the housing market), they are very efficient machines at what they do.

Answer 13

It is a question of experience. This customer has people experienced in java, so they have a good reason for wanting new apps in java. Even when capabilities are comparable, each platform has its own weak points. Experienced people know them, and it is simply more difficult to get enough experience on both platforms.

The other way around I've also seen. Insurance companies are .net centric, banks are java centric, at least around here. Companies that do both have big competence and standardization struggles. In addition, the java centricity is mostly on the server side, not on the desktop.

Then there are some practical issues with .net. The life expectancy of banking software, especially back-office, is about 30 years. Microsoft has shown to be not interested in keeping technology alive so long. Consequence of that is that expected through-life maintenance costs are much higher for .net, as migration to newer technology cannot be avoided.

Answer 14

Here is a list of all known Linux viruses http://en.wikipedia.org/wiki/List_of_Linux_computer_viruses None of them written in Java.

Here is a list of 17,654 know Windows viruses, many of these written using .NET. http://www.pacs-portal.co.uk/startup_pages/startups_all.zip This is just a fraction of all viruses that a commercial virus scanner would search for.

Answer 15

This my own personal opinion:
.Net and Java are nearly the same,
What make Java the first choice in very big organizations is:
- Windows as OS is not secure compared to Linux OS.
- Java is an old language compared to .Net is these organizations "so more trustful"
- Java has a good relation with Oracle
- Finally Cross platform issue.