Sunday, August 13, 2006

A different View of Netcraft Server Usage Rankings

Here's a twist on how to view the Netcraft rankings that tell you how many of each type of server (IIS, Jboss, Jetty, Apache, Tomcat, etc) are being used on the Internet.

The way these rankings are gathered is by scouring the web and pinging each web server to determine what type it is to add to the statistics.

Consider that a properly secured configuration will not advertising this information because then as new vulnerabilities are announced, hackers will use this information and scour the Internet (the same way Netcraft does) looking for these types of servers so they can attempt to exploit that vulnerability.

So instead of thinking, hey most people use IIS so I'm going to use that too, you can think, geez IIS has the most insecure installations therefore there are more IIS admins that don't know what they are doing than other types of web servers in terms of security.

By the way I haven't looked to see which type of server is most widely used right now. IIS is just an example. It is probably one of the free web servers like apache - which is a good web server for certain uses. The problem is not with the server itself. The problem is with administrators who are not properly trained on implementing secure configurations of their web servers.

I for one, knew my limitations and hired a managed hosting company, thinking they would have all the answers to make my systems secure so I could focus on development. Not so. Your application developers need to be aware of application issues and your internal staff and/or external auditors need to be checking everything your managed hosting company is doing. People at managed hosting companies can make mistakes, as well as the possibility of internal security breaches.

So secure your web server by hiding the implementation from prying eyes, including Netcraft unfortunately. Additionally, run security audits and don't assume your administrator or your managed hosting company can find every single problem. Security is a tough issue that requires constant monitoring and updating to keep up with the hackers.