I think you are absolutely right in your discussion of coding. As for the "myriad of options", go to Google, and search on Hardening IIS. That is a good first step.
Blevins -----Original Message----- From: Shafik Yaghmour [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 10, 2002 10:10 AM To: Andrew Blevins Cc: 'irado furioso com tudo'; Hornat, Charles; 'Baba Bogdan'; [EMAIL PROTECTED] Subject: RE: IIS Well with open source you can actually verify the security depending on how diligent you wish to be, with closed source you must rely on the vendors due diligence. Open source can be patched by you in case of critical emergencies ( I have had experience with this option so it is a reality ) and even if you are not skilled enough to fix it yourself it is likely someone else in the open source community will be and will post the patch publicly, close source in most cases your only choice is to wait on the vendor and hope their priority is to fix that issue. I also find that you can tell a great deal about the people who developed a product by examining their source code, when we interview people at my company we ask for code samples and it is a strong component in the decision to hire someone or at least points out potential issues/weaknesses. I think the same principle definitely applies to software, good coding practices and secure software go hand in hand, although I am not saying sloppy code is always insecure, or that good neat code is always secure, it can be indicative though. Curious myself, can you explain the "myriad of options", I am not saying they do not exist, but it would be more helpful to be explicit, I would prefer not to just take your word on it :{) . Take care On Wed, 9 Jan 2002, Andrew Blevins wrote: > Why is it automatically easier to harden an open source product? Also, there > are a myriad of options to hardening an IIS box than just patches. > > -Curious
