Tester’s Challenge update

Network World’s most recent Tester’s Challenge published two weeks ago called on the major operating system vendors to streamline the process of supplying security update information to customers.

Network World’s most recent Tester’s Challenge published two weeks ago called on the major operating system vendors to streamline the process of supplying security update information to customers.

Our charge was that, while information might be available on vendor Web sites, it’s hard to locate and in some cases is incomplete.

Jump into the forum on vendor patch practices.

Told that their tools are hard to use and inadequate, Microsoft, Novell, Apple and Red Hat chose to defend their existing approaches. None offered any insight about how they intend to improve the situation other than to point to existing plans to automate update tools, which might obviate the need to disseminate some security information.

We offered Microsoft 800 words to respond to this challenge in print, and while the company declined to write a formal response, it did agree to talk to us about its Web-based security resources.

“I can’t say that we hear much about our strategy for pushing out security information being off course, but we do hear often that we can tactically make it better,” says Stephen Toulouse, a security program manager with the Microsoft Security Response Center. The center coordinates how vulnerabilities get reported and fixed, and how customers are notified of those security updates.

Toulouse says Microsoft’s layered approach to supplying relevant security update information can’t be simplified much because its customer base ranges from single Windows users to large enterprise accounts.

Microsoft maintains parallel efforts for consumers and IT staff, both in terms of its e-mail notification services and on its Web site. Consumers can find information at www.microsoft.com/security, while IT staffers will need to hit the Microsoft TechNet Security Resource Center site – www.microsoft.com/technet/security/.

Toulouse says these security pages are updated constantly, even though a prominent link advertised registration for a March 16 event when we spoke with him on March 24.

We pointed out that while Microsoft numbers its security patches in a specific format – MS 04-XXX – you cannot search on that format. Furthermore, the company does not discern between original and updated security bulletins in its overall listings, making it difficult to ensure you have the most recent patches applied.

We also encountered a bug on the security patch search page that did not let us view the security update listing using two different, fully patched Windows XP Pro machines running Internet Explorer. We logged an event error with the support team but had not heard back from them at press time.

Although these points may seem trivial, we argue that security professionals pressed for time need things organized intuitively to ensure their systems are properly secured.

Toulouse acknowledges each of these issues and says he would report them to the team to be addressed.

Apple, Novell and Red Hat all pointed to what they called centralized security pages on their sites.

An Apple spokesman pointed to www.apple.com/security as its go-to security page. However, there is no link to this central security page from Apple’s home page. To get information on vulnerabilities and patches, you have to click over to multiple support pages.

Novell has yet to merge the security information about its newly acquired SuSe Linux operating system, so a spokesman pointed us to two separate sites: support.novell.com/security-alerts and www.suse.com/security/. That means searching for vulnerabilities across Novell’s product line is a multi-step process, but we think Novell will remedy that once it has fully integrated the SuSe assets.

Red Hat offers a central security resource center link, but a spokesman pointed us to www.redhat.com/apps/support/errata/ as the place to get the most-complete security patch information. While the page name is certainly not intuitive, we found this site to be well organized by product, but would like to see a vulnerability search tool added.

Tom Golway, CTO of IT-Defense, a firm specializing in risk-mitigation consulting, says vendors could do more to customize their security interfaces. He points to Amazon.com’s ability to present customized information based on a customer’s profile as a prototype for pushing the right patch information to the right customers.

“All of these companies have deep knowledge bases of security vulnerabilities, common configuration errors that leave you open to attack and bugs that break applications,” Golway says. “They are just a small script away from correlating that information to specific users’ environments.”

All vendors were quick to tout their existing and future automatic update processes as a development that could reduce the importance of disseminating detailed information about security updates and patches.

While auto update might be a good tool for consumers, no company of size is going to permit auto updating without testing it in the lab and then rolling it out slowly.

Additionally, even if the automatic update mechanism works flawlessly, enterprise IT security staffers will be required to manually audit the updates and maintain change control. If for example a CERT advisory comes out, you would want to be able to go to the vendor site for details about how a security update addresses the advisory.

While all four vendors defended how they are currently serving up security information, all also added the caveat that they are open to feedback on how to improve the process. Speak up and help convince them to face this challenge head on.