When your infrastructure and your application code remain stagnant for long periods of time you’re just expanding the window of opportunity for the bad guys. The longer they have to do reconnaissance, reverse-engineer, and search for weaknesses to exploit, the greater the chances are that you’ll be compromised.
As we wind down 2015 and businesses prepare to shut down for the extended holiday break, many will also implement a code freeze. The code freeze is a normal operating procedure that occurs regularly as an application or software update nears release, or whenever there’s a crucial business milestone—like end of quarter or end of fiscal year. Unfortunately, a code freeze also means that vulnerabilities can’t be fixed and cybercriminals get an extended period of time to analyze and exploit flaws.
Many security professionals perceive change as the “enemy.” If the network infrastructure and all of the applications running on it would just stay the same then it would ostensibly be easier to keep tabs on everything and mitigate any vulnerabilities. The reality, though, is that if you slow things down so that there is only a monthly—or even quarterly—update window, you leave your network and data exposed to flaws and zero-day attacks for a much longer period of time.
It takes too long to fix most vulnerabilities as it is. Some estimates suggest that it takes more than 100 days on average to develop a patch after a vulnerability is identified. Implementing a code freeze allows the bad guys even more time to do nefarious things before a patch can be applied. That’s why the exact opposite approach—rapid development and more frequent updates—is a more secure approach.
The current trend—from Agile development to DevOps and continuous delivery—allows companies to identify and fix vulnerabilities in real-time. The rapid pace of change with DevOps and continuous delivery don’t result in reduced stability or security—at least not if it’s done right.
Check out the full story on the RSA Conference blog: Why A Code Freeze Is a Cybercriminal’s Best Friend.