The difference is that things like enabling remote errors or disabling request validation in ASP.NET requires that you explicitly change those settings. The default config doesn't expose either of those issues.

I've got a screen capture with bing showing me remote errors. People do make mistakes.

Of course people make mistakes. The point is that the framework doesn't expose you to those risks by default. You have to explicitly make those mistakes yourself.

Further, when ASP.NET does have the odd vulnerability crop up, patches roll out automatically as critical updates via Windows Update. So, these things get patched quickly even if the app or server is no longer actively maintained, as is the case with so much code out there on every platform. Ironically, it's a bit like Windows Server is the Google Chrome of server environments when it comes to frequency and pervasiveness of updates.

Bing are Microsoft dogfooding new tech. They will make mistakes.

For those of us who are conservative there are very few opportunities to make mistakes. We have checklists, security policies, code reviews and even protection components in our framework as well as completely segregated web and back end systems.

However framework vulnerabilities offer a consistent attack surface which needs little analysis or tailoring.

The only vulnerability we've seen (ms11-100) was swiftly dealt with and would have been eaten by our up front load balancers anyway.

Regarding our application, our test load is 134,000 test cases and 220,000 lines of assertions. I can sleep well at night.

I've got to ask: could you share what app or at least industry that app is in? I've never seen 134,000 test cases before for a web app, and 220,000 assertions to boot. What's the ratio of test cases to code? It sounds like a record to me!

Financial services. Test ratio is 1 test per 6 loc.

Not a record. There are some seriously big apps behind closed doors. Its a different world to the public facing web.

Facebook is composed of around 10 million lines of code [1] - the public facing web is big.

I've no doubt Google looks at that and thinks it's almost trivially small (Chromium alone is 6.5 million lines [2]).

There's big apps in private, but very few companies are at that scale.

1 - http://www.quora.com/How-large-is-Facebooks-codebase

2 - http://www.ohloh.net/p/chrome

I've worked in a number of medium to large financial institutions, and 10M LOC is nothing, really. They had subsystems that were bigger than that by a factor of 2.

yes one of our 3rd party quoting engines' source tops 20mloc of java.

Facebook is a really simple project compared to most of these sort of things.

It's written in c#!

Just so that you do realize you have not proven that a bug nor a vulnerability exists - just the behavior of the current system.

Yes this is true but we proactively approach the problem rather than waiting for 3rd parties to find the holes. We are responsible for a couple of patch Tuesdays :)