Cisco hops onto patching treadmill

[InfoSec News <alerts () infosecnews org>]

http://www.theregister.co.uk/2008/03/06/cisco_patch_cycle/

By John Leyden
The Register
6th March 2008

Cisco has taken a leaf out of Microsoft's book by adopting a regular 
patch release cycle. However, the change will apply only to security 
bugs involving its core IOS software and not all its products.

Starting on 26 March, Cisco will release bundles of IOS security 
advisories on the fourth Wednesday of March and September in each 
calendar year.

The networking giant gave itself room for manoeuvre by reserving the 
right to publish out of sequence patches in cases where serious security 
vulnerabilities are publically disclosed or for bugs which become the 
target of active exploitation.

Cisco will continue to issue security advisories for products other than 
IOS, its network operating system that features on a wide range of Cisco 
switches and routers, as and when needed. For example, future security 
updates to VoIP kit will be published without reference to any regular 
patch release schedule, according to Cisco's pre-existing standard 
disclosure policy [1].

As with Microsoft and Oracle before it, Cisco explained the change is 
the result of customer requests for greater predictability over the 
timing of patch releases. Its patch cycle is less frequent than Oracle's 
quarterly release schedule and Microsoft's infamous Patch Tuesday 
updates, partly because network security updates are often trickier to 
test and roll out than application or operating system patches.

The format of Cisco's advisory will remain unchanged, as explained here [2].

[1] http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
[2] http://www.cisco.com/en/US/products/products_security_advisories_listing.html


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn