On a high-level perspective, the type of technology (Linux, Windows, Apache, IIS, etc.) used to support websites may not be relevant if the company is aware of the security risks associated with these technologies and has implemented appropriate and adequate security controls to mitigate the associate risks.
I just want to share one of my posts to msforums.ph that may be relevant to this topic: " According to ZONE-H, Linux more defaced than Windows" "Hi there, I just read all the posts in this particular topic, and I want to share some important points. I don't want to comment on which is more defaced, or which is more secure. Security should be implemented on all three layers of IT: People, Process and Technology. It doesn't really matter if you're running IIS or apache, open source or proprietary, as long as you've implemented appropriate (proper) and adequate (sufficient) controls to mitigate security risks on the three layers. Companies have various reasons for using open source and/or proprietary software, but it's more of enabling (or supporting) their business processes to maximize profit and minimize costs. Most of my clients are in a Windows environment, using IIS as web server of their .NET applications. I can tell you that most of the Windows servers are unpatched or contain known and documented security vulnerabilities. But does it mean that they are insecure? One of my clients is using Debian (Lenny) as OS of a PostgreSQL database server holding production information. Is the company at risk of losing data because of using a still buggy linux distribution? Another client of mine, has a J2EE Internet Banking application running on a vulnerable version of Apache Tomcat. Again, does the company have a high risk of being hacked? It turned out that all of them pass the security evaluation (with points of improvement) because they have something in common: Risk Management. These companies recognizes the business and technical risks they faced and had taken steps to implement solutions (either a safeguard, a process or someone) that would meet their security, functional and performance objectives. I am an open source advocate, but then, I do understand the need for proprietary software, especially on a business perspective. It's just a matter understanding the strengths and weaknesses of both, and how you can use this information to provide the right solution (security, functional, performance) to any kind of business or technical problem." -- Sincerely yours, Cris On Fri, Oct 17, 2008 at 12:05 PM, Ariz Jacinto <[EMAIL PROTECTED]> wrote: > If the reporter saw that same stats then we can't blame him, right? I > remember replying to a similar inq7.net article a few years ago but > all i got was an invitation to join Phil Honeynet ;-) > > I don't mind reading the same from a blogger as long as he/she can > point me to his/her sources and/or disclose his/her sponsors (` catch > my drift?), and I don't think we should group the defacement by OS > alone especially when there are a lot of possible points of entry i.e. > web server, web apps (bulletin board, blog, etc), or through an > incompetent developer (unfiltered POST vars, etc[1] ). > > [1] http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project > > > > > On Wed, Oct 15, 2008 at 10:12 PM, Danny Ching <[EMAIL PROTECTED]> wrote: >> interesting stat. In the upper left corner of the page it shows that 68% of >> web site defacements were linux based. Could this be because if SQL >> injection or inherent weaknesses in the OS. >> >> If it is SQL injection that i'd guess it's because more amateur coders use >> Open Source, therefore lesser emphasis on security. What do you think guys? > _________________________________________________ > Philippine Linux Users' Group (PLUG) Mailing List > http://lists.linux.org.ph/mailman/listinfo/plug > Searchable Archives: http://archives.free.net.ph > _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
