Microsoft .Net software's hidden cost

Companies planning on moving their old programs to Microsoft's new .Net software plan had better prepare for sticker shock: Making the conversion could cost roughly half of the original development cost, Gartner says.

That may come as a blow to penny-pinching information systems departments in big companies, even those very familiar with Windows programming.

Typically, moving to a new software release isn't so costly. But, warns Gartner's Mark Driver, .Net isn't just a new release of Windows.

"People mistakenly assume the cost of upgrading will somehow be the same as going from one version of a well-established product to another. That's definitely not the case (with .Net)," said Driver, who devised the cost model.

Ari Bixhorn, Microsoft's product manager for Visual Basic.Net, disputed Gartner's conclusions. He said most conversions to .Net are about 95 percent error-free, meaning they can be completed at a cost much lower than what Gartner estimates.

Gartner, however, considered factors other than code conversions in its analysis, such as training and lost productivity. Bixhorn said he didn't see either training or productivity problems as much of a concern.

Microsoft's .Net plan includes new releases of the company's Windows operating system and other server software, along with development tools and infrastructure to make programs more Internet-aware. One new technology supported by .Net is Web services, which promise to make linking internal computer systems, and systems residing in multiple companies, far easier than current methods.

What's unclear is whether the additional cost of moving to .Net will slow Web services releases. Several technology buyers told News.com this week that they are waiting for additional standards and better compatibility before they commit to large-scale projects.

The most prominent piece of .Net released so far is Visual Studio.Net, a new version of Microsoft's development tool package, which debuted in February.

Visual Studio.Net includes new versions of familiar tools such as Visual Basic and Visual C++. But the tool bundle is radically different than predecessors. It includes a new development language called Visual C# (pronounced "see sharp"), and introduces the .Net Framework and Common Language Runtime, which are technologies for managing and running programs.

The new development tool package also ushers in ASP.Net, a specialized type of software called a class library, replacing an older technology called Active Server Pages (ASP) for creating Web applications that support new Web services technology.

Still, long term, Driver predicted that making the switch to .Net for building new programs would help lift productivity and create more efficiency within companies.

"Over the course of the lifetime of an application, .Net might give you 20 percent cost advantage or more over using the older technologies," he said. "You will be able to recover that migration cost over the course of three to five years."

Companies making the switch could do so all at once, but most will likely make the change over a longer period of time. Either way, the cost of migration stays the same.

"It's an issue of paying the 60 percent up front or over the course of three years," Driver said.

The largest cost is code conversion. Because it is difficult to calculate, the 60 percent estimate in some cases could be too low.

The cutting edge can hurt
Gartner based its migration cost estimates on Visual Basic.Net and not on its cutting-edge, Java-like Visual C# programming language. One reason: Cost. A forthcoming study will say the migration cost associated with C# would be even higher than the standard Visual Studio .Net tools, Driver said.

"Some clients have asked about going directly to C#," Driver said. "For the vast majority, going from Visual Basic to Visual Basic.Net may be painful, but it's going to be the least painful of the strategies."

C# is seen as a crucial programming language for advancing .Net. Use of the language doubled in six months, according to a March study by Evans Data.

Without a doubt, companies switching to the new tools and migrating software applications over the long haul will find the switch over the easiest, but even they face difficulties in planning. Driver used the example of a developer running the older version of Visual Studio and Visual Studio .Net over a protracted period.

"That becomes untenable at some point," he said. "You've got to make the switch. So even if you go with a hybrid model, you've got to remember that you're spreading your resources thin over two different platforms."

There are other concerns about making the switch to .Net. At the top of the list is security, Driver said. Following a January memo from Chairman Bill Gates ( news - web sites), Microsoft cranked up emphasis on security. But problems have still surfaced in recent months.

"Some people are hesitant to put Internet Information Server (behind a public Web site) because of security issues. Well, .Net doesn't really address those problems," Driver said. "IIS is still just as vulnerable with .Net running behind it as the older ASP (Active Server Pages) code running behind it."

IBM and Sun also are pushing hard into Web services, advancing their own technology strategies and tools.

Security will be an important part of that emerging market. Market researcher ZapLink said on Thursday that the Extensible Markup Language ( XML) and Web Services security market would top $4.4 billion in 2006.

Encryption technology isn't any more "open source" than a master key at a car dealership.

Exactly right -- with a car key, you have full access to the 'encryption technology' architecture.

You know what the key looks like, how it works, how it interacts with the lock to open it.

You just don't have the key. Really, it's the exact same system, exact same point.

Am I mistaken, or did you say you're not familiar with software dev?

Am I mistaken, did you admit not to have any common sense?

Nope, not a lick! Just ask my wife.

As you said, Open-source allows everyone to see exactly how the lock operates, see the lock themselves, look at exactly how the lock is built and how the keys are made.

Just like with a Master lock. The 'security architecture' in a Master Lock is not a secret. Just the specific parameters of the key used for each lock is secret. And that is how security works.

Closed-source actually makes for a *less* secure lock.

If letting people see how the lock works makes the lock unsafe, then the lock has a built-in hole that someone *will* find sooner or later.

Open-source increases the chances of finding that bug by a factor of a gazillion (scientifically speaking).

Secrets = less security?

Nice try...

Folks, you've witnessed being led down the "encryption" rabbit hole over open source. It's a common tactic - when the failings of open source are presented in common language that everyone can understand, an open source cultist will defend the faith by a deflection on a seemingly related topic. In this case: debate the security of encryption rather than the inherent insecurity of open source code.

Look at it like this - Imagine you outlined the blatant and brutal nature of radical Islam. You cited specific examples of terrorism from Hamas to Al-Qaeda and ended it with: "Islamic radicals are intellectually and morally barren. You're either with the terrorists or you're on the side of freedom."

The reply: "The intellectually barren Islam you speak of invented rhyming poetry and Arabic numbers we all use today and drive the world economy. Don't you know anything about history?"

Now you have to chase down the Arabic numeral/rhyming poetry rabbit hole and prove how much history you really know while the terrorist laughs. That's my fault and unlike the cultists, I'll stick to the main issue - the inherent insecurity of open source.

"Open source" combination locks have the numbers in the combination freely available for peer review.

Wrong, an encryption standard works the same way regardless of how it is implemented. Commerical PGP is just as crackable as GPG, it's open source counterpart. You don't simply look at a block of code and see a key. You see a means to brute force a key maybe. There are no major proprietary algorithms that cannot be brute forced. It is unrealistic to try it since current computers suck at factoring which from what I've read is the key to brute forcing. Scott, once again, you're clueless. You crack the algorithm, not the code. The algorithm is going to be virtually identical regardless of whether it is commercial or proprietary encryption. If it isn't then it isn't the same then you're cracking two different types of encryption.

Encryption technology isn't any more "open source" than a master key at a car dealership.

Then please explain to me the existance of the OpenSSL library for UNIX users that allows Mozilla to interact with the same HTTPS servers that a proprietary program, Internet Explorer, can interact with. I'd like to hear you're justification for how OpenSSL is not in fact open source encryption software and how PGP is not open encryption since there are open source clones of it such as GPG.

Plus, every self-appointed evangelist of the open source cult offers up their PGP key for supposed "secure" communication purposes to anyone that wants it on their websites.

Oh brother, you really don't know jack about encryption, do you scott? Do you think that a huge block of seemingly random junk is what they type into PGP to decrypt a message or file? Let's ask the magic eight ball: "My sources say no." You see Scott, that is a essentially a scambled key generated by PGP so that another user can encrypt a message using your key without them know what the key's passphrase is. That way Scott, you can get someone's key, encrypt a message and they can decrypt it and only they know what passphrase they used to decrypt your message with.

Stay on target, Rogue Two. The topic is Microsoft.Net and the open source cult fanaticism - not encryption.

That's really funny Scott because a quick search through the article's body didn't return any result for the search phrase, "open source." In fact the article is about the cost of switch to .NET and has nothing to do with open source software.

(If need be, head to Slashdot for name calling and tangential rabbit hole debates)

If I wanted a case study in ad hominems, I'd read a few of your articles....

Secrets = less security?

Secret code = more mistakes in code.

Okay, you've never coded. I'm sure you've written stories or papers for school, yes?

Writing software is like writing a story or paper in which not a single word or mark can be out of place or wrong.

Now imagine a piece of software a few hundred thousand lines long. The mistakes are the security holes.

If you have 1 writer looking it over, there's no way he catches all the mistakes.

If you have 2 people looking it over, you have twice as much chance of getting all the holes.

If you have 2,000,000 eyeballs looking it over, you have a *very* good chance of getting the largest % of the holes. Realistically, you may never get all the holes. But you find more quicker with more eyeballs.

The big problem is not with hackers who break into systems by breaking keys. That pretty much takes a major organized effort and some real talent.

99.5% of the hacking is people taking advantage of known, existing software defects. That's IIS's problem, in fact.

The numbers bear this out.

Apache just had it's first major exploit in 4 YEARS, while IIS seems to be on a monthly exploit release schedule.

Okay, you've never taken a test in school. This is how open source works for tests:

In a test, you have to get all the right answers or you don't get to move up a grade.

If one person looks over the shoulder of the smartest kid in class to get the answers off of his test, it means that person doesn't have to learn.

If two people do it, two undeserving kids get to move up.

If the whole class can cheat off of you, they all move ahead without doing any work but the school system gets more money because test scores have vastly improved.

Ah, but if millions of kids are all taking the test together, it's not cheating because there's no competition, everyone can give their answers and work out problems together, there are no bad grades, students immediately come up with new solutions on every subject and everyone feels good about themselves. Open source makes this all possible.

This is called "fantasy" because it goes against human nature and doesn't work. Cyber-conservatives know this while the vocal minority on the Linux left still hasn't figured it out.

I'm curious -- do you agree that most software security holes are developer errors?

If so, do you see how the more eyeballs look over a piece of code, the fewer errors will be there?

If so, do you see how fewer errors means more secure software?

Consider: even for closed-source software, the rule of eyeballs exists. Proprietary software companies -- like mine -- try to get as many eyeballs to look at code as possible. We have code reviews and use peer programming, and are encouraged to help each other out and review each other's work regularly.

Open-source just takes that concept to it's logical extreme.

If one person looks over the shoulder of the smartest kid in class to get the answers off of his test, it means that person doesn't have to learn.

I hope you aren't suggesting that you can code without learning a programming language just by looking at other people's code. That would be the dumbest damn argument against OSS I've ever heard. That would be akin to arguing that you can skip learning Spanish by looking at your neighbor's Spanish-language essay.

Cyber-conservatives know this while the vocal minority on the Linux left still hasn't figured it out

You are not a conservative Scott. You rant and rave against the vast majority of conservative positions. You have clearly demonstrated on numerous occassions your support for large and intrusive government with vast surveillance powers. You have supported big business at the expense of individual rights which is not a conservative position and you have advocated squashing technological innovation in order to protect corporate America, that too being a very unconservative position. It is one thing to protect copyrights, an idea I wholeheartedly support, but I and the majority of libertarians do not support limiting technological innovation to protect monied interests. You have no right to make a profit, only a right to try to make a profit. If you cannot make a profit using the method you're trying, then find a different one. That's the nature of capitalism. Don't like it? Shut up and go live in Europe where economics are "fair."

That you are incapable of telling a libertarian position from a leftist position shows how little you know about politics. You just don't get it Scott. I'm not even a Linux user anymore! I can use Linux if I feel like it because I have a basic, but solid understanding of how to configure and use most major distributions. I have been one of the few people on FR who is opposed to using MS software, but totally support them in the antitrust case as a company. I do however think the DOJ should open a perjury investigation against certain executives.

Yep, now it's the "learning Spanish" rabbit hole, the "you don't know the facts" name calling and the hypocritical "I'm the one that loves freedom and liberty - YOU'RE the one who is for Soviet controls on our choice" that cultists like Stallman have parroted for years to deflect any criticism of the inherent lack of security surrounding open source.

This is great! Keep it up. kiddies. That way I know I'm getting through, making an impact and eventually I'll have enough material for an advance on that book deal...

Yep, now it's the "learning Spanish" rabbit hole

Then explain what your post was trying to convey. It came off as, "anyone can look at code and then code as well as the original coder without having to learn how to write code themself."

"I'm the one that loves freedom and liberty - YOU'RE the one who is for Soviet controls on our choice"

Thank you for accurately describing my political views relative to your own. I think you hit the nail on the head. I couldn't have said it any better.

Scott, here's the difference. I believe the marketplace should determine technological evolution, you don't. In at least one article, you have either directly or indirectly suggested that the US Government intervene to protect a business "threatened" by people whose sole "crime" is tinkering with the company's product. You're damn right Scott, that is a Soviet style restriction on freedom of choice. You are a hypocrite, you claim to believe in conservative ideals then in every article you post on FR you consistantly violate virtually every ideal that conservatives cherish. I have never met a true conservative that has anything but admiration for people that reverse engineer corporate technologies such as the XBox. In fact Scott, they tend to say that the US needs more people like that to keep the monied interests from ruining the Republic.

I think the entire concept of .NET supporting many languages is a bit of a joke, to be honest. I don't believe there is a business need to write Cobol on PCs.

There most definately is a business need to write Cobol on PCs. I work for an Insurance company, and our policy admin system was ported to the PC platform using Microfocus cobol. The new version is switching to Fujitsu Cobol, and the next release after that, to the .NET version of Fujitsu's cobol, which will allow us to develop interfaces and extensions using virtually any language .NET supports.

This is a package that cost us over $1 Million to purchase and our in house developers will be using .NET to maintain/extend the system, with a great deal of the work being done in Cobol. Even at that cost, the ability to run it on a $25,000 server vs the $1 Million a year cost of our mainframe (which we eliminated completely with this move) has more than paid for itself.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.