Opinion
How Microsoft Influenced Adobe Security (In a Good Way)
Microsoft used to be the poster child for insecure software. Now Adobe is following in its footsteps with a set patching schedule. CSO Senior Editor Bill Brenner says Microsoft deserves credit for actually improving security.
By Bill Brenner, Senior Editor
June 10, 2009 — CSO —
When I first started writing about information security five years ago, all a writer had to do was mention Microsoft in the same headline space as "security vulnerability" to strike page-view gold. In 2004 Microsoft was a couple years into its Trustworthy Computing Initiative but it remained the software company IT security practitioners hated with glee.
During conference keynotes and panel discussions, all someone like security luminary Bruce Schneier had to do to get applause was pan Microsoft's handling of one security incident or another. [More on Bruce Schneier: Security ROI: Fact or Fiction?]
That's not so much the case today.
Microsoft still does a lot of things to annoy people. Its release of Vista didn't go so well and the company is trying to make up for it with Windows 7.
But most will admit the software giant has made monumental security strides in recent years. One example of that has become a much-copied practice among vendors.
In 2003 Microsoft moved to a monthly security update popularly known as Patch Tuesday. Security vendors and their PR flaks have gleefully promoted it like a monthly tornado or hurricane watch ever since. [Read about the Patch Tuesday hype machine]
CLICK HERE for Microsoft's June 2009 security update
Oracle eventually followed Microsoft's lead by unveiling a quarterly patching cycle, and now Adobe has followed suit with its own quarterly security update, the first of which is this week. [Listen to Gary McGraw's discussion with Adobe security chief Brad Arkin]
CLICK HERE for Adobe's security bulletins and advisories page
It's an example of other vendors copying something that worked elsewhere.
Though a lot of smart people in the industry think vendors should patch individual flaws as they surface instead of saving fixes for a set day, the IT security practitioners I talk to say the set patching cycle has made their organizations more secure and their lives less chaotic.
IT shops have been able to plan around the Microsoft security updates, as well as the Oracle schedule. Adapting to Adobe's schedule shouldn't be too difficult, either.
Admins like it this way because they don't have to drop everything and scramble to test and install a surprise security update. They know when the fix is coming and how many days it will take to run them through the test beds before deploying them across the organization.
Companies have come to rely on Adobe's product line, especially Reader and Acrobat. If someone in the company opens up a .pdf file or edits a photo, they're almost always using Adobe to do it. Adobe also suffers from the frequent appearance of security holes attackers could exploit to infect machines that are incorporated into botnets and exploited in other insidious ways. [See Botnets: 4 Reasons It's Getting Harder to Find and Fight Them]
Microsoft
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
Digital ID World
-
September 14 - 16, 2009Rio Hotel and CasinoRegister Now »
Las Vegas, Nevada
(ISC)2 members can earn up to 24 CPE Credits!
Reference priority code ONLINE and attend the full conference for the reduced rate of $995!
