[kwlug-disc] Security arguments

Raul Suarez rarsa at yahoo.com
Tue Sep 22 11:38:28 EDT 2009

Again, after using Linux I am convinced that it is more secure than Windows but I'm just doing my homework so I can successfully argue that (One person at a time, probably)

I realize that the stats presented there were old (2007), I also realize that they combined cases related to bad practices along with server issues.

I've also looked at released patches and security advisory numbers but I know they are comparing apples and oranges as different companies release patches and disclose advisories differently so They can be interpreted however it suits you.

Are there any statistics or "hard proof" other than anecdotal evidence that indicates that Apache/Linux is more secure as a platform?
 Raul Suarez

Technology consultant
Software, Hardware and Practices
An eclectic collection of random thoughts

From: "john at netdirect.ca" <john at netdirect.ca>
To: KWLUG discussion <kwlug-disc at kwlug.org>
Sent: Tuesday, September 22, 2009 11:10:21 AM
Subject: Re: [kwlug-disc] Security arguments

Always suspect and carefully inspect statistics. They can easily be interpreted or used improperly.

If the question is "which web server is more secure" then the article that you posted is not relevant. Here's why:

Most of the attack methods are common to both platforms and Apache scores worse because of its market share. This includes stolen passwords, man in the middle attacks and the many flaws in web applications. How is this Apache's fault?

Arguably misconfiguration could be a web server's fault but the article doesn't break that down by platform.

You could choose to search the CERT database https://www.kb.cert.org/vuls/html/search but even that needs to be done carefully. The number of items and the severity of bugs need to be evaluated. Also be aware that not all vulnerabilities may be listed there.

Apache is open source so it will have vulnerabilities found that have never been exploited. They were found by examining the code. With IIS, since there is no source code generally available, the bugs may be ones actualy exploited. Minor flaws found by MS staff may not be reported. I suspect that more of apache's flaws are listed in CERT and fewer of IIS flaws are.

I understand your desire to fight FUD whether or not the FUD it benefits you. But keep in mind that the odds are stacked against the truly honest. Marketing dollars force corporate generated FUD into our faces all the time. There are poeple who's full-time jobs are to just that.  The vocal minority that fight FUD do not have the marketing budget or reach to fight it.

-----kwlug-disc-bounces at kwlug.org wrote: -----

>To: KWLUG discussion <kwlug-disc at kwlug.org>
>From: Raul Suarez <rarsa at yahoo.com>
>Sent by: kwlug-disc-bounces at kwlug.org
>Date: 09/22/2009 10:26AM
>Subject: [kwlug-disc] Security arguments
>I made the mistake of making an of the cuff remark regarding web
>server security without doing my homework.
>One of the arguments from Khalid in his Apache presentation was that
>there were more Apache servers but still more attacks on windows
>servers, disproving the theory that Linux is not attacked because it
>just has a low market share. What I understood was that the IIS
>breaches were more frequent and more public and I took that
>understanding at face value.
>Of course I may need to eat my hat as this person brought up this
>I've said in the past that facts should trump FUD and I've tried to
>be very objective when talking about Linux to maintain credibility
>but now I feel that that link breaks one of my "strong" arguments.
>I know that facts and interpretation of the facts aren't always the
>same thing. Even facts could be perceived differently depending on
>the angle you look at them at.
>Up until now I've been convinced by what I've seen that Linux is
>safer than Windows but my Linux experience is on the desktop. Now I
>realize that I've extrapolated that to servers without having first
>hand experience.
>The question is clear and open: 
>What are the facts, hopefully statistically based, that prove that
>Linux Web servers are safer than Windows Web servers?
>Or even that Apache is more secure than IIS?
>I think it's a valid question and one that may help us better
>position our arguments in favour of Linux.
>Raul Suarez
>Technology consultant
>Software, Hardware and Practices
>An eclectic collection of random thoughts
>Make your browsing faster, safer, and easier with the new Internet
>Explorer® 8. Optimized for Yahoo! Get it Now for Free! at
>kwlug-disc_kwlug.org mailing list
>kwlug-disc_kwlug.org at kwlug.org

Looking for the perfect gift? Give the gift of Flickr! 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20090922/d58f666d/attachment.html>

More information about the kwlug-disc mailing list