I spend a lot of time talking to customers and a common topic they raise is the increasing complexity of the application environment they are managing, and the challenges in keeping that environment healthy. This makes sense: many enterprises now manage a complex portfolio of on-premises, public cloud, and hybrid- or multi-cloud applications—and those applications are composed of and supported by an ever-expanding number of hardware, software, and services components.
Operating such a sprawling landscape even under optimal conditions is a challenge. Each of those components requires careful monitoring and regular maintenance and updates. Then there are the unexpected issues—outages, service degradations, and vulnerabilities needing to be patched—which can lead to downtime and potentially negative business impacts. Many organizations have processes in place to deal with these events, but I hear time and time again that anything we can do to minimize the impact of the unexpected is incredibly valuable.
It is for this reason that we are making a change in how we handle the public communication of security issues in our software products, including our BIG-IP and NGINX product families. Starting now, we are moving to a predictable quarterly cadence when we have CVEs or exposures to disclose. These new Quarterly Security Notifications will align the public communication of vulnerabilities and security exposures to one pre-announced date each quarter so customers can plan for possible maintenance activities to ensure they are protected.
Fixes for security issues will continue to be included in sustaining releases across our software products, and we strongly recommend customers always run the most current release of their F5 software to optimize the security and performance of their systems. We recognize the operational overhead required to update complex systems. By aligning the communication of the security issues to a pre-published date, we are giving customers the opportunity to proactively plan for possible maintenance activities.
There will be cases where the disclosure of vulnerabilities outside of the Quarterly Security Notifications will be necessary. For example, with the release of fixes in F5’s open source projects. In those cases, we will communicate to customers through a Security Alert. Similar to our current approach, Security Alerts will include a security advisory and all necessary information for customers to understand their exposure to the issue and steps they can take to address.
For clarity, F5 is not disclosing any security issues today. If we have vulnerabilities to disclose, we will publish our first Quarterly Security Notification on January 19, 2022.For more information on this change and our vulnerability management policy, please click here.
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...