|
The best compilation of such materials that I've seen is the work by Ron Ritchey. Hiswork is about two years old, but it still holds some valuable lessons. To summarize his findings, both Web servers have had major flaws. The number of IIS breaches has been higher in the past, and the time to
release fixes was longer.
More recently, Microsoft has worked to close this gap. I haven't seen a
detailed survey of the issue since Ritchey's survey, but in my experience, Microsoft is meeting some success in IIS itself. (However, major problems, such as WebDAV from May 2003, continue to be discovered.)
The hacker community has taken a keen interest in exploiting IIS, given its widespread use, history of flaws and Microsoft origin. While both Apache and IIS exploit research is ongoing, it appears that the number of people attacking IIS is higher.
So, how should you decide whether to go with Apache or IIS? I advise that you focus on the one where your team has the most system administration expertise. Sure, Apache may be theoretically less vulnerable than IIS. But, if your team cannot administer an Apache box, you are hosed. A well-maintained IIS box is certainly more secure than a poorly maintained Apache box. Likewise, if your team has solid Apache expertise, go with that.
For more info on this topic, visit these SearchSecurity.com resources:
Best Web Links: Web servers
Web Security Tip: Keep Apache patched
The Information Architect: Microsoft pushes security in IIS 6.0
|
