Linked by Thom Holwerda on Fri 14th Apr 2006 21:31 UTC, submitted by Dylan
Privacy, Security, Encryption "Windows has grown so complicated that it is harder to secure. Well, these images make the point very well. Both images are a complete map of the system calls that occur when a web server serves up a single page of html with a single picture. The same page and picture. A system call is an opportunity to address memory. A hacker investigates each memory access to see if it is vulnerable to a buffer overflow attack. The developer must do QA on each of these entry points. The more system calls, the greater potential for vulnerability, the more effort needed to create secure applications."
Thread beginning with comment 114953
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Easy..
by rayiner on Fri 14th Apr 2006 22:22 UTC in reply to "Easy.."
rayiner
Member since:
2005-07-06

Is that really true, though? According to Netcraft, Apache runs 64% of web servers on the internet, while IIS runs 25%. By your logic, exploits of Apache should be far more common than exploits of IIS. However, in practice, we see the opposite to be true.

What I don't understand is why everyone falls into a "all software development practices are created equal" line of thought. Is it really hard to believe that projects which have no shipping deadlines, constant peer review, and high developer enthusiasm produce better code?

Reply Parent Score: 5

RE[2]: Easy..
by mOOzilla on Fri 14th Apr 2006 22:24 in reply to "RE: Easy.."
mOOzilla Member since:
2006-04-11

It says "Windows" in the title of this thread, it does not say IIS or Apache. This topic title is about Windows vs Linux.

Reply Parent Score: 1

RE[3]: Easy..
by sappyvcv on Fri 14th Apr 2006 23:40 in reply to "RE[2]: Easy.."
sappyvcv Member since:
2005-07-06

Um.. read the article. It's about Apache and IIS.

Reply Parent Score: 2

RE[2]: Easy..
by smashIt on Fri 14th Apr 2006 22:55 in reply to "RE: Easy.."
smashIt Member since:
2005-07-06

Is that really true, though? According to Netcraft, Apache runs 64% of web servers on the internet, while IIS runs 25%. By your logic, exploits of Apache should be far more common than exploits of IIS. However, in practice, we see the opposite to be true.

i don't know from where you get your information, but to me it looks a bit different:

IIS: http://secunia.com/product/1438/
Apache: http://secunia.com/product/73/

Reply Parent Score: 4

RE[3]: Easy..
by Lettherebemorelight on Fri 14th Apr 2006 23:03 in reply to "RE[2]: Easy.."
Lettherebemorelight Member since:
2005-07-11

Did he say his statement was limited to Apache v2 and IIS v6?

Reply Parent Score: 1

RE[4]: Easy..
by DKR on Fri 14th Apr 2006 23:45 in reply to "RE[2]: Easy.."
DKR Member since:
2005-08-22

The number of vulnerabilities doesn't matter if the open source world can fix them near instantly.

Secunia's data is also often outdated.

Also, Microsoft doesn't publish all of their vulnerabilities because they have something to lose if they did: shareholders.

dude, get the real facts.

http://www.theregister.co.uk/security/security_report_windows_vs_li...

Reply Parent Score: 0

RE[3]: Easy..
by dylansmrjones on Sat 15th Apr 2006 09:49 in reply to "RE[2]: Easy.."
dylansmrjones Member since:
2005-10-02

According to danish Secunia IIS6 has twice as many open security holes, than does Apache 2.0.x.

So we can conclude this: IIS6 has had fewer advisories, however they have not been parched (closed). Apache 2.0.x has had many more advisories, however all but one has been patched (closed). This leaves 2 unpatched for IIS6 with 1 unpatched for Apache 2.0.x

You can probably figure a lot of other things to do with statistics. Do that and then we can all bash each other with wonderfully meaningless statistics.

Final conclusion: When comparing apples with oranges, apples tend to have more worms than oranges, unless the oranges aren't really oranges but actually rotten apples, and one cannot see the difference. Or perhaps it's the apples which are unripe, or combination of all. (It doesn't make any sense, but neither does statistic when used this way.)

Reply Parent Score: 0