Wow! We just published our tenth bundle of Cisco IOS Software Security Advisories and what a ride it’s been!! Way back when in the fall of 2008 when we produced our first Cisco IOS Software Security Advisory bundle, we had no idea of the impact that this delivery format would have on us internally and, more importantly, on you – our customers!! The decision to deliver the biannual (on the fourth Wednesday of every March and September) Cisco IOS Software Security Advisory Bundled Publication brought with it many challenges, process changes, and—in the end—a format for Cisco Vulnerability Disclosure that we hope addresses at least some of your concerns. This format was modeled after the scheduled monthly release used by Microsoft for years, known affectionately as “Microsoft Tuesday” and based on requests we heard through discussions with many of our customers.
Historically, customers made it clear to Cisco that every release of a Product Security Incident Response Team (PSIRT) Security Advisory created significant challenges for them as organizations. Their ability to react with confidence was limited by the lack of proactive guidance from Cisco. The following is a direct quote from a Cisco customer:
“The announcements were random acts of terror that always seemed to be launched at the worst possible time. When one was announced, we had no warning and thus had a mad scramble to assemble both our Cisco team and our internal resources to understand and respond to the PSIRT. It was awful, every time. Since we didn’t know when the PSIRTs were coming, we were often caught unaware and without the proper internal resources to analyze them. And, since the PSIRTs were announced to us at the same time as our customers, we were under immense time pressure to analyze and respond to our customer queries almost instantaneously.”
As a result of this feedback from our customers, partners, and customer-facing employees regarding the security disclosure process, Cisco evolved the Cisco IOS Software Security Advisory program in 2008 to include two key elements:
- The “bundling” of Cisco IOS Software Security Advisories. Through modification of internal Cisco processes, customers are now offered a common version of code to which they can migrate for all identified issues in a specific Cisco IOS Software bundle.
- In the footsteps of Microsoft, Cisco initiated releases of Cisco IOS Software Security Advisory bundles on the fourth Wednesday of March and September of each calendar year.
So how can you help us? What we would like to get now is feedback from our customers on how the bundle delivery format has changed your lives (well, at least during working hours!), for better or for worse, when it comes to dealing with Cisco PSIRT security vulnerabilities identified in your Cisco IOS environment.
The information you provide in this survey will help Cisco to continue to evolve our vulnerability disclosure process to address your challenges and concerns, just as we did back in 2008 when we listened to you and developed the Cisco IOS Software Security Advisory bundle process.
Please complete the survey, reply with your comments to this post, or feel free to contact me directly if you prefer! Thank you for helping us to help you!!
And, as always, please visit the Cisco Security Intelligence Operations (SIO) Portal for information on the Cisco IOS Software Security Advisory bundle, as well as other collateral – best practices & white papers, the Cisco Security Blog (), Security Advisories (), Applied Mitigation Bulletins (), IntelliShield Alerts (), and IPS Signature information () – to help you detect and mitigate threats on your network.
I believe the PSIRT notification system works well. My big complaint is it seems that some software trains mentioned in EOL notices and PSIRT updates to that train don’t match up. Take the 12.4 mainline train. My Cisco SEs are telling us there will be no rebuilds for PSIRTs in 12.4, but the EOL notes (http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6968/ps6350/end_of_life_notice_c51-574251.html) seem to indicate there should be updates until Jan of next year for PSIRT issues. Being a govt contractor, we’re forced to mitigate PSIRTs rapidly, but moving to 15.0 for older platforms we’re in the process of retiring isn’t possible, and for others, memory upgrades are required. I’ve complained to the SE team about this, but hopefully this will help from the top more.
Thanks for your feedback, you raise a good point regarding the language in the document you linked. We are working with the team responsible to clarify the language and will have someone contact you regarding your specific situation.
Comments are closed.