Overall, IIS More Secure than Apache...?
I find myself disagreeing at times with Roger Grimes' column on security. But for this one I think he nails the issue perfectly. You see, although IIS gets a lot of bad press for it being a "hackable Microsoft product," in the macroeconomics of internet threats and exploitation it actually holds up better than its more highly-praised cousin, Apache.
Roger discusses how the economics of hacking (> market share = > hacking attention), the enhanced out-of-the-box security position of IIS, and the greater security knowledge IIS administrators tend to have as factors...
What? A security columnist commenting that, "the average Apache Web administrator has less security knowledge than the average IIS administrator?" Heresy! Or is it...? Roger goes on:
I find Apache Web administrators much more likely to download and use dubious code from the Internet (which a previous Google study revealed often contained malware).While both types of Web administrators, in general, really don’t care about security, IIS is helped by the fact that it has had only three published vulnerabilities over the last four years, as compared to Apache’s 33.
Read the full version of Roger's excellent article here:
http://www.infoworld.com/article/07/06/29/26OPsecadvise_1.html?source=NLC-STOADV&cgd=2007-07-02
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine