Print
Discuss
Send to friend
RSS feedsIf you were one of those people who opposed Microsoft's decision to issue monthly patches, you may now have even more grounds for grievance.
Oracle has taken a leaf out of Microsoft's somewhat blotted copy book, and it too is now issuing bundled patches once a month. Such moves are fuelling the debate on whether the big-bang approach to fixing flaws is better than a drip feed of patches.
Some firms are worried that the monthly extravaganza puts their already overburdened administrators under far too much pressure. The first Oracle bundle contained fixes for more than 60 vulnerabilities, some discovered as long ago as January.
Critics say that the monthly surge in work means that security personnel will have one extremely busy period and up to 30 days of relative quiet. Given that every patch may need to be tested before deployment, the burden may be far too great.
Another complaint concerns the fact that attacks do not take place on a monthly cycle. While the vendors may say that they will issue patches immediately if a serious vulnerability should surface, it is the vendors - not users - who decide what constitutes serious.
The practice of having a regular, monthly date to issue fixes to combat the constant barrage of attacks is designed to give the impression that the vendors are bringing order to chaos. This monthly cure-all is sending out the message that flaws in mission-critical software are acceptable and can be dealt with in a logical, clinical manner.
Issuing patches at short notice might suggest crisis, and could attract the attention of the world's media. It might also give the impression that some vendors are supplying very vulnerable products. It was interesting that Oracle's latest patch dealt with flaws that had been identified a long time ago. Microsoft has been guilty of similar delays in providing fixes.
As the major software suppliers face growing pressure from the stock market to deliver results, it is clear that they will do whatever they can to bolster confidence in their products. But it is important that they do not put the god of spin above substance.
IT directors want to know about vulnerabilities as soon as they are discovered, especially as new corporate governance rules mean they may have a duty to regularly assess and report operational risks. The fact is that IT now accounts for the bulk of that risk for many firms.
The debate over responsible disclosure will continue to rage. However, there can be no excuse for software vendors delaying fixes to fit in with monthly cycles if the aim is simply to give the impression that they are in control.
For better or for worse, the monthly patch is fast becoming the standard in security. IT directors will have to ensure that their administrators are given the resources they need to deal with a monthly peak in activity followed by a lull - and this could mean drafting in freelance security experts for the days of issue.
But in the meantime, IT directors should continue to push for better quality software, and make their protests extremely vocal if they feel that they are being supplied with fixes too long after vulnerabilities are brought to light. Why should the customers pay for the mistakes of their suppliers?
del.icio.us
Digg this
reddit!
