Thursday, September 04, 2008

The Web changes everything - Can you have Version Control and Security?

We developed our ideas of Corporate Network support years ago. Careful release cycles, software tested and the invention of practices such as program testing, integration testing, system testing and deployment testing. Steady, planned and paced. Make no mistake - these practices were developed for real reasons.

Right outside our firewalls today, however, is the raging chaotic storm that is the Internet. New vulnerabilities have attacks emerge in the wild in three to five days. A significant delay to patching a browser can have serious consequences faster than ever. Taking the time to test patches for 3 months before applying and deploying them - prudent practice 8 years ago, is arguably an act of irresponsibility today.

Agility in Operations Management and systems administration separates the protected in-house applications such as Office and desktop from the external facing applications (web services, VPN, Browser), and provides rapid response on the external facing without sacrificing governance. Even desktop applications require regular update now. Open Office issued an urgent 2.3 to 2.4 upgrade. Microsoft have issued critical patches to address vulnerabilities in MS Office.

What liability rests with IT management when an organisation has not applied patches quickly when the patch and the reason are in the public domain? What liability is there when outdated browsers are deployed? In concession to IE6 users, IE6 is still under maintenance by Microsoft, but is your copy really up to date? If it is one patch and 5 days behind, your security may be an illusion.

I hate to say it, but when it comes to external facing software - patch and patch often.

No comments: