eWeek: Apache avoids most security woes

Jul 24, 2001, 15:40 (11 Talkback[s])
(Other stories by Timothy Dyck)

eWeek offers a look at Apache's solid security record ( "the server's last serious problem (one where remote attackers could run arbitrary code on the server) was announced in January 1997") and examines the reasons behind its success. Open source, says the article, doesn't acount for as much as good design and a usable configuration process:

"...Why has Apache done so well and IIS fared so poorly?

Having published source code helps but isn't enough on its own-the widely used Berkeley Internet Name Domain Name server from Internet Software Consortium Corp. and Washington University's FTP server also have source code available, but both have poor security records.

Going over Apache's security advisories back to the server's Version 1.0 days shows that the secret-in addition to solid coding and scrutiny-lies in a minimalist design, careful attention to detail and a configuration process that makes it easy for administrators to know what's going on."

Complete Story

Related Stories:

• Yahoo!/ZDNet: IT bugs out over IIS security(Jul 23, 2001)
• Eric S. Raymond: Reliance on closed source for security considered harmful(May 16, 2001)
• The Register: MS Hotmail servers begin switch from FreeBSD to Win2k(Aug 01, 2000)
• Apache Today: Web Servers of the Fortune 500: A Dissection and Analysis(Jul 22, 2000)
• Nua Internet Surveys: Apache Still Towers Over Server Market(Jul 20, 2000)
• VNU Net: Apache is chief on websites worldwide(Jul 07, 2000)
• IT-Analysis: Apache rules the web(Mar 25, 2000)