Yeah – it’s been quite here at InfoSecToday. I’ve been letting Mike and Steve run with our collectively demented thought processes. However this one from Oracle, posted on Computerworld piqued my interest this morning.
One thing that we’ve all learned (the hard way) is that you must keep up with vendor patches to the best of your collective abilities. Of course, this does means that you do a proper risk assessment and only disrupt your business’s operations to the minimum level necessary. In the case of Microsoft, they got religion after Slammer and Blaster and now have a robust (really, they do) vulnerability assessment mechanism, and patch distribution program. Earlier this week, Oracle finally admitted that they’ve drank the patching Kool-Aid® and will be releasing patches, not only on a regular basis, but with actual details on what they patching and why.
Halleluiah. But - That was the easy part. The hard part will be getting all of the infrastructure and business application groups that have come to enjoy a significant level of “patch complacency” to start thinking in the “must patch regularly” mindset. This means that SLA’s (service level agreements for those not in the ‘enterprise’ spaces) need to change, and horror of horrors, you’ll need to actually need to what’s deployed in your environment – AND – what versions.
Where am I going with this? It means that the burgeoning CMDB market will get a boost, existing Change Management (another Enterprise euphemism for doing what you said you’d do, when you said you’d do it) processes will get better, and overall this is a good thing. Now = if we can only get the other players, especially all of the layered products out there (such as Adobe, etc) to play the same game, we’d all buy much better off. Although some within my group may disagree, CVSS and CVE are good starts. The software industry as a whole needs to get on the same wagon, and not fall off when things get rough.
More to come…
Bill P
No comments:
Post a Comment