Mark Pilgrim wrote today about Apache’s security vulnerabilities noting that only 25 vulnerabilities were found this Web server in the last five years (counting vulnerabilities from both 1.3 and 2.0 releases) most of which were not serious (like exposing a script’s real path under certain circumstances). For a server that boasts 11 million active installations according the latest surveys — three times more than its next competitor — it’s surely an impressive fact.

This finding highlights, in my opinion, the advantage of the open source development model. Besides showing fewer vulnerabilities, Apache also has a strong community whose response to those threats has always been faster, more efficient, and better handled than equivalent answers in similar commercial packages.

From my own experience, I still remember the day when Code Red struck IIS sites and my home machine was infected because I had forgotten to keep my copy up to date. I simply had no time or will to keep up with all updates and patches required for a secure server. Today I’m running Apache 2.0 at home, even under Windows, and I only run IIS when I need to test specific behavior (and I keep the machine disconnected from the Internet when I’m using it that way). As Pilgrim wrote in his post, one only needs to check a version number to ensure I’m running the latest copy of Apache. This is a priceless asset for any administrator or Web developer.