follow recordinghacks
at http://twitter.com
- Channels
- Media Reviews
- Misc.
- Contact
- Syndication
As reported throughout the web, the Gartner Group has recommended that some enterprises “immediately investigate alternatives to [Microsoft’s commercial webserver application] IIS, including moving Web applications to Web server software from other vendors.” The report’s title is telling: Nimda Worm Shows You Can’t Always Patch Fast Enough.
Think that through… one of the largest, most-quoted technical analytical groups on the planet is recommending that companies not use Microsoft software. More strikingly, they’re recommending that corporate users abandon Microsoft software. A reasonable person might have to conclude that the Microsoft software in question is dangerous.
But if that’s the case, how could IIS have gained 26% market share? How could systems administrators be so blind, to install such bad software? Especially in light of the fact that the market leader, Apache, (58% market share) is free and has a dramatically better security history?
To be sure, updating server software, and watching for new vulnerabilities, is required for all admins. But I contend that Microsoft still fares worse than any other vendor. Here’s the evidence: Microsoft has released 11 “critical security updates” in 2001 alone.
Gartner goes on to say that IIS will continue to be a victim to worms and viruses until Microsoft releases a new, “completely rewritten, thoroughly and publicly tested” version of the program. Consider the implications of that statement: IIS is so bad it can only be fixed by discarding the entire mess and starting from scratch.
Joel Spolsky has written a well-reasoned essay about why rewriting software from scratch is a huge strategic mistake. Why? Because there is no guarantee that the rewrite will be any better than the original. I agree.
But his comment that “IIS has been publically tested, for about six years now, on millions of web servers and with thousands of hackers trying to find bugs,” ignores the reality that IIS is clearly not robust enough for enterprise use, no matter how well tested it has been.
