Yesterday was a perfect example of the lack of communication between software vendors and their customers about security. Three vendors released major patches for serious bugs, all within hours of each other.
You would think that customers would be a high priority for all vendors, especially in this economy. All vendors certainly give lip service to doing the right thing by their customers; unfortunately, most have a bad case of amnesia when it comes to security.
I can’t think of any reason for Oracle and Microsoft to release patches on the same day as they did last month. Even worse, three vendors — Apple, Adobe and Microsoft — all released patches yesterday. Of these, only Microsoft had a scheduled release that IT teams could plan for. Adobe did a better job communicating this month than they did last month, but releasing on the same day as Microsoft was a bad idea because it makes hash out of everyone’s resource plans for the week. Adobe probably felt they were in the clear given Microsoft’s small release of a single bulletin, but they were trumped within minutes by the massive Apple OS update containing fixes for 67 documented vulnerabilities (CVEs).
Why do vendors do this? They know they are going to release a patch and they can certainly communicate with their customers about what to expect. IT security teams that have all three software packages in-house are forced to expeditiously choose which set of patches to roll out first. And these decisions often come at the expense of other internal IT projects.
It is important to receive security patches quickly. More importantly, if you are in lockstep with your vendor’s bug fix cycle, then both vendor and consumer can deliver on expected outcomes. Why not assume that your customers would like to plan to have the resources available to install your patch as soon as you release it? And why not assume that your customers’ IT teams have a hundred other things to do besides patch your product?
* Andrew Storms is nCircle’s Director of Security Operations. He is responsible for the definition and enforcement of the company’s security compliance programs as well as overseeing day-to-day operations for the Information Technology department.