แชร์ผ่าน

Making Progress in Security? A Personal View

  • บทความ

I don't normally comment on security issues, mostly because it's not my specialist subject. It's fair to say though that our record hasn't always been admirable in years gone by, as Slashdot and others gleefully point out. But sometimes perception starts to overtakes reality and comments that are no longer justified start to take on a life of their own.

I saw one statistic that shocked me this afternoon though. Windows Server 2003 has been released for a whole year now. How many vulnerabilities do you think we've had to patch in IIS 6.0 over that time? Check out the answer for yourself by visiting the TechNet security centre and selecting "Internet Information Services 6.0" from the drop-down list. I often hear developers say that Apache is far more secure, but is it?

Don't get me wrong - I'm not for a moment trying to suggest we've solved the problem, or that we're in any way complacent. I know we've got a huge amount of work to do before we can truly stand up with our heads high. We are deadly serious about getting this right. But perhaps we're not quite as bad as the industry perception suggests...

Comments

  • Anonymous
    April 07, 2004
    http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/03/31/10465.aspx
    http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/03/30/10388.aspx
  • Anonymous
    April 07, 2004
    There is one thing that still bothers me..
    Microsoft still not fixing security issues fast enough:
    http://www.eeye.com/html/Research/Upcoming/index.html
    http://www.safecenter.net/UMBRELLAWEBV4/ie_unpatched/index.html
  • Anonymous
    April 08, 2004
    I think the important thing is that most of the security problems are very simple; buffer overruns or something similar. I would be much more worried, if the problems were on the architecture/software design side. Simple typos are easy to fix and eventually there will be libraries that are likely to prevent them from causing trouble.
  • Anonymous
    April 08, 2004
    <Check out the answer for yourself by visiting the TechNet security centre and selecting "Internet Information Services 6.0" from the drop-down list. I often hear developers say that Apache is far more secure, but is it?>

    Regardless of which MS product you choose on that site - it still brings up a blank list. Something tells me that simply can't be right :)
  • Anonymous
    April 08, 2004
    Piyush, I definitely don't get that - do a search for Windows NT 4.0 for example and see a fairly large number of patches :-)

    Juha, I quite agree: it's a matter of design and then of process.

    Tim
  • Anonymous
    April 13, 2004
    The comment has been removed