The differences in the innate security of ASP.NET vs PHP come down to the scope of what functionality and features are provided by either technology. Fundamentally, the security of a web application is dependent upon the implementation, but the technology used to implement that website will impact the amount of effort required to write secure code.
Microsoft’s ASP.NET provides a full stack of technologies to enable developing a maintainable, performant and secure website. Each layer of this stack has been tested by Microsoft for security vulnerabilities and is deployed as a whole. When a security vulnerability is identified, in any layer of the ASP.NET stack, the fix can be deployed in the same manner, no matter where in the stack it occurs. Applications written using ASP.NET would typically use the facilities provided by the ASP.NET stack rather than bringing in third-party libraries to provide fundamental web application framework features.
PHP on the other hand is actually quite a low level website runtime, providing limited functionality to the developer for creating a website. One could make the argument that PHP is inherently more secure than ASP.NET due to the fact that it has fewer features and therefore a smaller attack surface. However, the comparison between ASP.NET and PHP is not an equal one.
Modern PHP websites would typically use a third-party framework to provide a maintainable structure to the site and to maintain developer productivity levels attached by other web technologies. So, one would typically compare developing with ASP.NET vs PHP/Zend or ASP.NET vs PHP/CakePHP. There are quite a few different frameworks that all target the same problem of writing maintainable websites in PHP (http://www.phpframeworks.com/ lists several popular frameworks). This is where the main security issue lies.
Not only is a PHP web application subject to vulnerabilities in the PHP runtime, but also from vulnerabilities in the third-party frameworks and libraries fundamental to creating a maintainable and secure site. These frameworks and libraries are often provided by multiple vendors which have differing capabilities to manage security vulnerabilities in their frameworks. While packaging PHP frameworks and libraries has improved in recent years, and several libraries are often packaged with various Linux distributions which ease deployment of security updates, a typical PHP site will use libraries from various sources. There will therefore always be additional complication when deploying security updates as compared to an ASP.NET based site.
Discover how Software Solved can help relieve the pressure on your IT department.