I was reading about Hiawatha and I was wondering if really Freebsd+Hiawatha could be considered safer than Linux+Lighttpd or any other webserver.
Moreover, if you were to have to host a very sensitive website, which software platform would you use?
Asked
Active
Viewed 1,544 times
1
-
7Security is predominantly a factor of configuration rather than platform. All software platforms have security holes and there is no way to definitively determine if one has fewer than another. Very secure sites can be reliably built using any major platform. – squillman Jun 16 '11 at 17:28
-
I was expecting an answer like this. Given that you have a capable admin, a dedicated firewall and IDS, and everything is well configured, there would be any plus to use Hiawatha and Freebsd over other platforms? – Mascarpone Jun 16 '11 at 17:30
-
1It looks like Hiawatha has a small development team and is far less deployed than other webservers. From a security perspective these are boths risks -- fewer developers working with the code and fewer people using the code typically means that critical bugs take longer to discover and longer to resolve. If something claims to be "highly secure" demand to see evidence in terms of security incidents per capita (or some other hard metric of your choice). – larsks Jun 16 '11 at 17:42
-
You could say the same for freeBSD... anyhow that's the same objection which came to my mind... – Mascarpone Jun 16 '11 at 18:10
-
The FreeBSD development team isn't "small", and it's deployed far more widely than you would think, especially if you consider systems built on top of FreeBSD that don't carry the FreeBSD branding (e.g. Juniper's JunOS is based on FreeBSD) – voretaq7 Jun 16 '11 at 18:24
3 Answers
8
The HTTP Server is just one aspect of hosting a sensitive website. Hiawatha looks like it has some nice features but if it were me I'd stick with something less esoteric and follow a blueprint like the NSA's Guide to the Secure Configuration of Red Hat Enterprise Linux 5 .
Cheers
HTTP500
- 4,833
- 4
- 23
- 31
3
If I were to have a very sensitive website (and in fact I do have one that's subject to US HIPAA law and the PCI Data Security Standards) I would build it on top of FreeBSD, Apache, an appropriate language (PHP, Ruby, etc.) and the skills of a good developer who knows how to build secure web applications.
FreeBSD and Apache are both well-tested. FreeBSD ships out of the box in a relatively secure configuration and requires only minimal additional hardening, and Apache has been beaten on for 15+ years now: Many of the "easy" holes have been found, and what's left is largely a matter of proper configuration and a well-written application that doesn't leave holes for attackers to penetrate your security.
I would also suggest reading through the NSA Guidance Jason linked to, as well as the PCI-DSS linked here (the former talks about securing an individual machine, the latter about general security of an environment and handling sensitive data) -- Adhering to those principles will go a long way toward helping you design a stable, secure environment.
voretaq7
- 79,879
- 17
- 130
- 214
-
... FreeBSD .... Apache .... PHP ....r elatively secure configuration ... no, your advises are not-so-good. see juliens Answer. – that guy from over there Sep 06 '13 at 08:18
-
@thatguyfromoverthere I advised the OP to review standards documents and guidance that address more than just "what OS should I pick?", and advised them to use `the skills of a good developer who knows how to build secure web applications`. I fail to see what's "not-so-good" about that advice. Do you have a *specific* issue with something I've said, or are you just looking to complain about something? – voretaq7 Sep 06 '13 at 15:30
-
see Juliens answer and squillmans comment. given enough resources you can build up very secure systems with any os or programming language. but if you webapp has security-flaws, you are doomed. the right advise would be: if you dont know how to do it, get someone to do it. and if you want to learn it, choose one system and go deep, until you find the flaws (and workarounds :) i DID NOT wanted to say, that you cannot build secure on your advises, though. – that guy from over there Sep 06 '13 at 15:54
-
@thatguyfromoverthere `and the skills of a good developer who knows how to build secure web applications.` should cover the application angle. My platform information is specifically addressing the second part of the OP's question: *if you were to have to host a very sensitive website, which software platform would you use?* - Unless business reasons dictated otherwise I would choose FreeBSD and Apache as the core, because I have over a decade of experience with that platform and can do a proper configuration lockdown of both in my sleep at this point. – voretaq7 Sep 06 '13 at 16:02
3
Your server is as secure as your weakest link. Your weakest link is probably not your web server or OS (in Linux vs. BSD), but your web application.
Julien
- 1,038
- 1
- 13
- 24