Schneier, Howard and security

Bruce Schneiers Crypto-Gram is now a weblog with an RSS feed and everything.

The latest post is an interview of Schneier by On the question of whether open source products are more secure than closed source he says:

There's lots of open-source software out there that no one has analyzed and is no more secure than all the closed-source products that no one has analyzed. But then there are things like Linux, Apache or OpenBSD that get a lot of analysis.

I find it curious that he mention Apache as secure software, especially in the light of what Michael Howard found in “IIS6 vs Apache2 Security Defects”; that since IIS6 was released there's been 2 advisories against it, and in the same period there was 20 advisories against Apache 2.0. Howard use numbers from Secunia. In the same period there was one advisory against thttpd and ten against Apache 1.3. Another very interesting thing is that there's not a single advisory against Tomcat 4 or Tomcat 5 from the Jakarta project in the same period.

The above mentioned webservers obviously vary wildly in capabilities and features, so a direct comparison is unfair. It is interesting that Tomcat is so good by these metrics, it's the only product written in a “safe” language (Java). The others are written in C or C++ as far as I know.