Problem solve Get help with specific problems with your technologies, process and projects.

Are there security concerns when porting from IIS to Apache?

Changing application platforms can be a daunting task. Doing it the right way requires a lot of oversight and proper management. While the transfer itself is complicated, there are also security concerns that teams should be aware of before porting any critical application.

My software development team is considering porting a critical application from IIS to the Apache platform. Are there any big problems with this which could hamper our overall security?
Based on what I see in my security assessments, Apache has its general problems like IIS, but nothing of major concern if it's managed properly.

There is one thing that stands out to me when testing Apache-based applications though. It's that accompanying software such as OpenSSL, PHP, MySQL and so on, are often out of date. This speaks more to a system patching and change management problem within the organization than it does to the security of the platform itself. However, it's a problem nonetheless which can create pretty big issues if it's not managed properly.

Case in point, in my Web security assessments I often come across the OpenSSL ASN.1 vulnerability on Apache systems which dates back to 2003. I often get push back from developers regarding the relevance of this flaw. However, the source code to exploit this flaw is readily-accessible on the Internet that anyone can download, compile and run to bring your Apache-based systems down. Numerous other similar vulnerabilities exist as well. The bottom line: Apache is as good as the administrators and developers who configure and maintain the system.

Dig Deeper on Topics Archive

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.