Thursday, August 25, 2005

Why IIS is more secure since 6.0?

If you read Michael Howard's blog, you may remember his article titled"IIS6 vs Apache2 Security Defects". Base on third party's data, IIS 6 shows a better security track record than Apache 2.

So, why IIS 6 becomes much safer? Especially given the notorious security history of IIS 5?

In his new book 19 Deadly Sins of Software Security, Michael Howard tells an interesting story:

(Page 3)"Internet information Server(IIS) 6.0 web server switched entirly to a C++ string class for handling input, and one brave developer claimed he'd amputate his little finger if any buffer overruns were found in his code. As of this writing, the developer still has his finger and no security bulletins have been issued against the web server in the nearly two years since its release."


Post a Comment

<< Home