Today, we released the final Cisco IOS Software Security Advisory Bundled Publication of 2013. We committed to these predictable disclosures back in 2008 because your feedback was clear—they allow you to plan ahead and ensure resources are available to analyze, test, and remediate vulnerabilities in your environments. (For more information on the history of this evolution, take a look at my colleague John Stuppi’s post this past March.) If you haven’t had the opportunity to review my earlier posts on preparing for bundled disclosures or leveraging the Cisco IOS Software Checker tool, I’d encourage you to do so now. Hopefully, the guidance will help lessen the impact of evaluating the recently published Cisco Security Advisories. Read More »
“A security advisory was just published! Should I hurry and upgrade all my Cisco devices now?”
This is a question that I am being asked by customers on a regular basis. In fact, I am also asked why there are so many security vulnerability advisories. To start with the second question: Cisco is committed to protecting customers by sharing critical security-related information in a very transparent way. Even if security vulnerabilities are found internally, the Cisco Product Security Incident Response Team (PSIRT) – which is my team – investigates, drives to resolution, and discloses such vulnerabilities. To quickly answer the first question, don’t panic, as you may not have to immediately upgrade your device. However, in this article I will discuss some of the guidelines and best practices for responding to Cisco security vulnerability reports.
“Change is inevitable—except from a vending machine.”
In the spirit of Robert C. Gallagher’s famous quote—and in our quest to never be a vending machine—we’ve rolled out several updates to Cisco’s Security Intelligence Operations (SIO) Portal which I trust you will find useful. Thanks to your feedback, we continue to evolve the Portal to ensure that relevant security content is where you need it, when you need it. Providing timely information to our customers requires not only a global team of Cisco security experts to pipeline the latest information, but a complementary team who ensures that the most significant issues are also the most visible. In fact, that’s the most exciting change we made: a new ‘Security Highlights’ tab which allows a cross-functional group, led by our content managers, to call out the most important issues to our customers. That way, instead of looking at IntelliShield alerts, Cisco Security Notices, or Event Responses individually when time is scarce, this new tab gives you an at-a-glance view of Cisco security content our experts feel is most pressing given all of the events into which we have a view.
Security automation is a hot topic these days. Most organizations have many systems to patch and configure securely, with numerous versions of software and features enabled. Many security administrators are seeking ways to leverage standards and available tools to reduce the complexity and time necessary to respond to security advisories, assess their devices, and ensure compliance so they can allocate resources to focus on other areas of their network and security infrastructure.
Cisco is committed to protect customers by sharing critical security-related information in different formats.
Starting today, September 26, 2012, Cisco’s Product Security Incident Response Team (PSIRT) is including Open Vulnerability and Assessment Language (OVAL) definitions in Cisco IOS security advisories. Read More »
As previously discussed here on the Cisco Security blog, the Cisco Product Security Incident Response Team (PSIRT) follows a twice-per-year schedule for disclosing high-severity security vulnerabilities in Cisco IOS Software. The next Cisco IOS Software Security Advisory Bundle will be released on the 26th of September at 16:00 GMT. Our Security Vulnerability Policy describes the schedule best:
In direct response to customer feedback, Cisco releases bundles of Cisco IOS Software Security Advisories on the fourth Wednesday 16:00 GMT of the month in March and September of each calendar year. This schedule applies to the disclosure of Cisco IOS Software vulnerabilities and does not apply to the disclosure of vulnerabilities in other Cisco products.
We offer several convenient and timely ways to learn of new
Cisco Security Advisories and Cisco Security Advisory Bundles.