Wednesday, May 20, 2009

Adobe Drops Patch Tuesday Hammer on Us

Adobe products have been the proverbial deer in the security headlights the last couple of years, with the firm standing accused of everything from shoddy application development to long turn-around times on their fixes when problems are discovered.

Some of the same charges were historically leveled at Microsoft, who responded with a hailstorm of security patches each time they had a fix to roll out.

Beleaguered system administrators and corporations wailed about how difficult it was to keep up with the pace, since one hotfix had barely been tested and deployed before another was in the chute.

Microsoft responded by designating the 2nd Tuesday of each month as "Microsoft Patch Tuesday", as it came to be known amongst the tech crowd. While it didn't necessarily stem the flood of fixes needing deployed, it did allow for better resource management and regular cycles for UAT testing prior to distributing the code into the production environment.

It seems Adobe has taken a lesson from Microsoft, in that they have announced that they will release security fixes on a quarterly basis, on the 2nd Tuesday of every third month.

Adobe, responding to criticism of poor security practices and a maddeningly slow response to known vulnerabilities, also promised to release emergency fixes on a more timely basis while doing a better job of continuously reviewing their products from a security engineering perspective, the hope being that they will identify (and close) vulnerabilities before they become widely known and exploited.
This would be welcome news for security professionals, who have seen Adobe products targeted in almost half of the targeted attacks so far this year.

By emulating Microsoft's refined process already institutionalized in most companies, Adobe hopes to piggyback off of the painful lessons learned in Redmond.
That strikes me as an admission that Adobe doesn't know how to execute core vulnerability management processes or develop them internally.

This approach is obviously meant to stop the bleeding as more infosec professionals are contemplating moving away from Adobe's platform to alternative products that have less of a target painted on them.

While I wish Adobe success in their endeavor, I'm not optimistic that they will be able to maintain the pace of the security patch treadmill over the long term.

No comments:

Post a Comment

Please tell me what you think.