Industry experts advise networking vendors to separate security updates from features for clearer understanding, prioritization, and implementation. (IT World Canada)
A coalition of industry experts and stakeholders in the Network Resilience Coalition has released a white paper advising networking vendors to reconsider their approach to security updates. The coalition, comprised of network hardware and software manufacturers, IT networking providers, and customers, aims to enhance the security of IT network hardware and software on a global scale.
The white paper, released on Tuesday, suggests that networking vendors should separate critical security updates from new features in order to simplify the understanding, prioritization, and implementation of patches. Additionally, the coalition encourages manufacturers to provide clearer details on the lifespan of their products. The recommendations come at a crucial time when cyber threats are on the rise, resulting in increased incidents of data theft, ransomware attacks, and complete network outages.
During a press conference accompanying the report's release, Matt Fussa, Chief Trust Officer at Cisco Systems, emphasized the coalition's focus on addressing the exploitation of vulnerabilities by threat actors even after patches have been issued. The coalition is optimistic that enhancing the transparency of software updates and adopting more secure application development processes will yield significant benefits in the United States and other nations.
Fussa predicts that the suggestions outlined in the white paper could become legal requirements in Europe and the U.S. within three years. Urging immediate action, he stressed the importance of adopting better software development practices, automating patching, and incorporating machine-readable threat and vulnerability information.
Highlighting the urgency of the matter, Fussa encouraged the adoption of the NIST Secure Software Development Framework and the creation of a software bill of materials for customers. Failure to safeguard network infrastructure not only poses business risks but also jeopardizes the technologies essential for societal functioning.
The coalition's recommendations include automating patching, providing comprehensive information on product end-of-life status, aligning software development practices with the NIST framework, and considering participation in the OpenEoX effort to standardize end-of-life information communication.
The group also places responsibility on IT departments, suggesting they buy from vendors aligned with the NIST framework, ensure clear end-of-life information, and plan for separate critical security fixes. Cybersecurity vigilance, product configuration alignment with vendor recommendations, and participation in the OpenEoX effort are also advised.
The white paper release included a panel discussion where the patching dilemma was discussed. Some customers delay upgrades due to various reasons, posing challenges for manufacturers looking to automate patch installations. The separation of features from security updates was acknowledged as a complex task, raising concerns about the clarity of distinguishing between patches, security updates, and security feature updates.
In conclusion, the Network Resilience Coalition emphasizes the complexity of managing networks but expresses hope for improvement through collaborative efforts with vendors, customers, and governments. The urgency of adopting recommended practices is underscored, recognizing the evolving landscape of cyber threats and the potential risks to network infrastructure and societal technologies.
