Making Progress in Security? A Personal View

I don't normally comment on security issues, mostly because it's not my specialist subject. It's fair to say though that our record hasn't always been admirable in years gone by, as Slashdot and others gleefully point out. But sometimes perception starts to overtakes reality and comments that are no longer justified start to take on a life of their own.

I saw one statistic that shocked me this afternoon though. Windows Server 2003 has been released for a whole year now. How many vulnerabilities do you think we've had to patch in IIS 6.0 over that time? Check out the answer for yourself by visiting the TechNet security centre and selecting "Internet Information Services 6.0" from the drop-down list. I often hear developers say that Apache is far more secure, but is it?

Don't get me wrong - I'm not for a moment trying to suggest we've solved the problem, or that we're in any way complacent. I know we've got a huge amount of work to do before we can truly stand up with our heads high. We are deadly serious about getting this right. But perhaps we're not quite as bad as the industry perception suggests...