[oclug] Re: LAMP vs MS Solutions for Small Business

A Blair ablair at gmail.com
Fri Feb 18 01:39:51 EST 2005 

I would again like to thank Rod Giffin for input and especially Fred
Jensen - your analysis is very interesting.  But Fred, on your point
#2 regarding Windows/IIS/MSSQL/etc:

> 2 - [Security issues] Enuff said.

Actually, it isn't.  Having had issues in the past, security is one of
our bigger concerns.  Our prosepective programmer(s), who have been
trained at Waterloo extensively in MS technologies point out that
Apache has had a much worse security track record than IIS (eg
http://weblogs.asp.net/michael_howard/archive/2004/10/15/242966.aspx )
and that Linux in the LAMP setting also fares poorly vs Windows (eg
they pointed out recent studies such as
http://seattletimes.nwsource.com/html/businesstechnology/2002182315_security17.html
).  On top of these and other data, they said that fundamentally, it's
not the technology that makes a system secure or insecure but more in
the way it is administered, which seemed reasonable to the board of
directors.  Therefore they argue, that if administered properly, a
Windows/IIS/MSSQL/etc. solution is just as secure as a LAMP solution
(note that this goes against the sentiment of what Mike Soulier said
in this thread: "The skill of the author is mostly irrelevant if the
language itself is broken in some way").  Plus Mike wrote:

> "PHP belonging to the "security hole of the month"
> club. [...] I have no idea if the authors of PHP know what they're doing. I've seen
> plenty of evidence that they do not, but PHP's security track record isn't great."

..which does not instill confidence in the LAMP solution if PHP is the
main contender to take the place of ActiveX/COM.  On the whole the
business will have to weigh Fred's points:

1 - Software/Hardware costs (both initial and ongoing)
  Hardware is a tie for both; in software LAMP seems to have the edge;
2 - Security issues
  There seems to be an edge for Windows/IIS/MSSQL/etc;
3 - Support costs
  This is probably equal for both;
4 - Accessibility (for users)
  Since any ActiveX functionality will be on internal store LANs, this
is not really relevant;
5 - Programming costs
  Equal for both;
6 - Scaleability
  Fred's right: we're not planning to be the next Akamai, so this
isn't really relevant.

Because security trumps cost for us (as in most businesses) according
to this analysis the Board would probably go with the Microsoft
solution.  Whoa, can I be reading this right - a discussion on the
relative merits on the *Linux* users group mailing list results in the
adoption of the Microsoft solution?

A Blair

More information about the OCLUG mailing list