Paul Laudanski of CastleCops fame collected supporting statistics from his own Phishing Incident Reporting and Termination Squad database for me. He said, "For PIRT reports above 500,000 (without checking their phish status): IIS = 1,302 reports, Apache = 20,104 reports. For all PIRT reports w/o confirming status: IIS = 16,744, Apache = 181,724. There are of course other Web servers I haven't checked for." That works out to be about 6 to 8 percent for IIS and 92 to 94 percent for Apache.
The overwhelming slant toward Apache cannot be explained by sheer numbers alone. Netcraft reports that in August 2007, Apache accounted for 48 percent of public-facing Web sites while IIS rose to 34 percent. So does that mean IIS is more secure than Apache?
The real answer, of course, is that both IIS and Apache, if installed as directed by the developers, are relatively secure. Most malicious Web site infections are the result of administrative mistakes and buggy applications — not the underlying Web server software.
Open Web Application Security Project, one of the most respected organizations trying to increase Web server security, continues to report nearly the same top 10 Web site security flaws that have plagued Web sites since the beginning of the Web.
So I want to end my one-way debate of IIS vs. Apache by saying that both are fine, relatively secure platforms. Installing a secure Web server is easy; hosting secure applications on top of that secure base is the true challenge.