Sysadmin Field Notes

March 16, 2005

Scoble quotes someone mentioning IIS is more secure than Apache, at least by counting up all the exploits.

But I don't exactly trust Microsoft. They've certainly improved, but they have a different set of criteria that they evaluate reported security hole against. Is there an exploit right now? How high risk is the patch? Is the person who reported it going to take it public? When Microsoft releases a patch, they must carefull consider all sorts of things related to their business, since in the end that's what it's all about. Will the cost of releasing this patch outweigh the costs of not releasing it? I don't think Microsoft is evil for doing this BTW.

Open source projects have no such limitations. If it's a security bug, they fix it right away, pretty much without question. That gives me as administrator control over the risk; do I rush out and patch, or do I hang back a bit, possibly opening myself to exploitation. I can balance that decision based on my judgement and what's best for my business/website/whatever.

If an attacker is going to target your site, and has the knowledge and paitence to look for a security bug to use against you specifically, he or she is likely going to find one in any web server, except maybe a small, security-minded, hand audited peice of code. So it really doesn't matter which you use against a determined attacker, both will be broken.

So what becomes important is the delay between exploits being discovered and implementing the patch. That delay is a lot more transparent and open with open source software, and that makes me feel more comfortable.

This is up to a point of cousre; if the problems come so quickly that every week is a new patch, that's a pain, and changes the equation.