Re: Site Traffic Reporting
- From: "Amedee Van Gasse" <nzrqrr.ina.tnffr@xxxxxxxxxx>
- Date: Wed, 22 Jun 2005 07:12:41 -0700
Juan T. Llibre shared this with us in
microsoft.public.dotnet.framework.aspnet:
> re:
> > A few months ago there was a security flaw in awstats
>
> That's exactly my point.
> They seem to occur more often with Perl than with other languages.
I'm not a security export, so I won't argue about you on that.
You could be right or it could be your perception.
It's my own impression that most security problems are in software
written in some version of C. But then again, with C you can shoot
yourself in the foot and then no one else can figure out what you did,
and with Perl you separate the bullet from the gun with a
hyperoptimized regexp, and then you transport it to your foot using an
array of arrays of arrays. However, the program fails to run and you
can't correct it since you don't understand what the heck it is you've
written. ;-)
> re:
> > How often do you see that with IIS vulnerabilities?
>
> Do you know of an unfixed IIS vulnerability ?
Currently: no. Not yet. There have been times that a vulnerability
remained infixed for weeks or months. I can look it up if you want, but
so can you. Google is your friend.
> re:
> > Replace every instance of the word Perl with IIS
> > in that sentence, and it remains a valid statement.
>
> Up until IIS 6, that statement might have been valid.
I totally agree with you. That is why you should read again:
<quote>
IIS has been demonstrated to be a security risk in many ***PREVIOUS***
versions and I don't want to be the booby who proves that the (current)
version of IIS (6) (...) is a security risk, too.
</quote>
Please read this:
http://www.eweek.com/article2/0%2C1759%2C1240915%2C00.asp
It is about IIS 5. With such a bad history, one should always be
careful.
> IIS 6 is the most secure web server on the market out-of-the-box.
I totally agree with you that IIS 6 is the most secure web server of
all IIS versions. IIS 6 even has less security advisories than its
largest competitor, Apache 1.3.x.
But this tells you nothing about the severity of a problem. It could
also mean that people are actually looking at the code and finding
bugs, whereas the bugs in IIS are left to be exploited at a later date.
It is also unknown how many security bugs each IIS update fixes since
the public does not have access to the code. The number of security
updates is a double-edged sword.
Lets not forget that Apache is an open source project with many
eyeballs on the code (I'm not saying that there aren't many MS Eyeballs
on IIS's code). I would expect a large proportion of those
vulnerabilities to have been discovered by looking through the code
rather than by other nefarious means. However, for a third party to
discover a vulnerability in IIS they would have to have done it blind -
this is often orders of magnitute harder.
> re:
> > Anyway, see this page:
>
> I was one of the early adopters of Perl for Windows.
>
> I dropped it because I can currently do anything I need to do in a
> web application without needing to introduce an unnecessary complexity
> level with Perl, which also introduces additional, unneeded, security
> concerns.
Good for you!
You should always use the tools that best fit the purpose. If you can
do it better/faster in VB.NET or C#, please do!
--
Amedee Van Gasse
.
- References:
- Re: Site Traffic Reporting
- From: John Timney \(ASP.NET MVP\)
- Re: Site Traffic Reporting
- From: Amedee Van Gasse
- Re: Site Traffic Reporting
- From: Juan T. Llibre
- Re: Site Traffic Reporting
- From: Amedee Van Gasse
- Re: Site Traffic Reporting
- From: Juan T. Llibre
- Re: Site Traffic Reporting
- Prev by Date: Re: Append Data
- Next by Date: Re: Desing Question
- Previous by thread: Re: Site Traffic Reporting
- Next by thread: Anchored links for aspx files
- Index(es):
Relevant Pages
|
|
