any guide about how to program properly without leaving security holes?? i usually write all the scripts by myself :S
Well said, IIS is not the problem, the user is. I am not saying that MS is great, but more often that not ignorant users will blame the tool rather than themselves. FFMG
rfdavid IIS unicode just put a code after the url and you get a important info where's the security <<<<<<< is none refer to netcraft the APACHE is the N 1 why people use MS products = just simple to use ebay is a commercial website so they just need a simlpe system in your opinion what is more securised : a system developed by 1000....... programmers or a system developed by some person i know there's No 100% security but MS products don't have any relation with security Dell has a lot of business with microsoft they sell windows with there pc ebay also has a business relation with MSN now opensource products become more popular in europe some governement sponsor them open source give more security THE END = MS PRODUCTS ARE 4 NEWBIES
IIS unicode just put a code after the url and you get a important info fixed 7 years ago where's the security <<<<<<< is none refer to netcraft the APACHE is the N 1 XP is number 1 on the desktop, so it is more secure than BSD? why people use MS products = just simple to use One of many reasons. Ease of use is not a bad thing. ebay is a commercial website so they just need a simlpe system Ebay has a huge team of professionals that specialize in network and programming security. A statement like that shows how little you understand about the subject. in your opinion what is more securised : a system developed by 1000....... programmers Quality <> Quantity or a system developed by some person IIS is not developed by some person, it is developed by a team of professional software developers. i know there's No 100% security Can't argue with that. but MS products don't have any relation with security MS has the same relation with security of any large software group Open or Closed Source. Any program that is more complicated than "Hello World" will have security issues. Exploits are discovered in all applications from IIS and Apache to MS Word and iTunes. Admins/users have to be vigilant in preventing security breaches and updating their software. Dell has a lot of business with microsoft they sell windows with there pcDell also sells Red Hat and Ubuntu. ebay also has a business relation with MSN They also have a relation with google, who is one of the biggest open source promoters. now opensource products become more popular in europe some governement sponsor them There is nothing wrong with open source, and it is chosen where it is the best solution to an organization's goals. open source give more security At best it provides the same security. At worst it gives a false sense of security when users think that since they are using an open source product it is perpetually secured right out of the box. THE END = MS PRODUCTS ARE 4 NEWBIES That is one of the great things about windows and MS in general. They are easy enough for my Grandma to use and powerful enough to run a fortune 500 company on. I am not a MS lover, I use both closed and open source products depending on business needs and available resources. Limiting yourself to one group or another based on some quasi-religious views about development methodologies is kinda silly IMO. I dunno, maybe we will just have to agree to disagree
fixed 7 years ago >>> this is some new bugs not unicode ,they fix in part and new bugs appear in other part Microsoft IIS <= 5.1 Hit Highlighting Authentication Bypass Exploit 2007-05-31 http://milw0rm.com/exploits/4016 Microsoft IIS 6.0 (/AUX/.aspx) Remote Denial of Service Exploit 2007-05-21 http://milw0rm.com/exploits/3965 take tour at milw0rm
The first bug doesn't affect IIS 6.0 and the second is only a temporary Denial of Service that only works on slow servers. DOSing a slow server is hardly a gaping security hole. Check out this bug report from May 2007(same time as the above vulnerabilities)
apache = opensouce : if you are a pro of programing you can fix the bug MS products : you must wait MS to fix the bug and it take a time so more time = more attacks = customers transfer there sites
Not entirely true. MS almost always give you a 'workaround' while they investigate the problem. Then a fix is available at the next update. Apache does not get updated as often as you make it sound, (the security alerts are fixed quickly but they are not officially released for a long time). Many Apache servers are still running on 1.x or 2,0.x Also MS Windows Desktop might have a lot of security issues, (because it is so widely used I think), but the MS Servers are very secure. In the end, it is a mater of choice as the one you choose, but they are both very secure. FFMG
Well EBays entire BILLING system is all SUN and Oracle, So is AT&T's DirectTV's, DishNetwork, Verizon, Nextell, and EchoStar. I know because I was on the team that implemented Ebay's billing system as well I lead the re-architecture of the billing systems for AT&T, DirectTV, DishNetwork etc.. Just because Ebay might run their auction site on IIS doesn't mean they TRUST their financials to IIS or any microsoft product. There is a reason the largest telecommunication companies in the WORLD use a *nix system and not a windows system for their financial transactions. Come to think of it when I was head of security for CSG Systems, Inc we rented data center space from First Data Corp (the company that handles millions of transactions for the IRS) guess what they where using a *nix system as well.. I know because their systems where right next to mine.
I stand corrected on ebay, they only have their customer-facing servers running IIS. Ebay's solution is probably the best in terms of security: Use a diverse range of server software. This limits the effects of any bugs and exploits to a smaller group of servers in the datacenter. The whole argument anyways is that IIS is inherently insecure and is not worthy of running webservers. Ebay is one of the biggest websites in the world and runs IIS. I think the case is closed. It seems though that the companies you mention as running a *nix financial system didn't chose the server software, they outsourced the financial system to a third party that chose *nix. I am curious what flavor of *nix it is. I think the general consensus around the IT world is that with everything else being equal BSD is the most secure, so choosing any other OS would be making a concession.