Friday, March 7, 2008

Cisco patch cycle

Cisco has announced its regular patch cycle, just like Microsoft. There is just a "small" difference between each company's process: Cisco is planning to release patches only twice an year.

What these people need to understand is that vulnerability management is not exactly like change management. Some people believe that long change cycles are a good sign of mature change management. Ok, it may be, but for vulnerabilities the problem is quite different. While you can have a good perception of the probability of a common error has to cause you problems, it's almost impossible to have the same number about a vulnerability. Not only that you can't have this number, it's also not under your control! That makes vulnerability patching a different kind of change, that needs to be released as soon as possible.

I'm curious about the motives behind this 6 months time; is it because the testing process for cisco products is more complex or they are just less competent than the others on producing patches?