Re: Security release scheduling

2015-09-29 Thread Harlan Stenn 


On 9/28/15 11:08 PM, Mark Andrews wrote:
> In message <560a13e6.7060...@nwtime.org>, Harlan Stenn writes:
>> I'm looking for some general "calendar" help to use for our security
>> release scheduling process.  Something that usefully accounts for
>> clients all over the world.
>>
>> By "usefully accounts" I mean that we want to be able to have reasonable
>> confidence that we're not going to pick a public release date that is a
>> national holiday for one country, and we're also not going to avoid a
>> date because it's "let's order pizza" day somewhere else, but the
>> purpose of the holiday is obscured because of language translation issues.
>>
>> I figure this is something others must have solved, and I'm hoping some
>> folks on this list might be able to offer me some pointers.
> 
> There's a national holiday basically everyday of the year.
> 
> http://www.timeanddate.com/holidays/

Thanks, Mark!

So much for that idea...

I guess the best we can hope for is to minimize the impact.

-- 
Harlan Stenn 
http://networktimefoundation.org - be a member!

Re: Security release scheduling

2015-09-29 Thread Harlan Stenn 
Good info, Barry - thanks!

I appreciate your offer, too!

H
--

On 9/29/15 12:39 AM, Barry Greene wrote:
>>
>> Hi Harlan,
> 
> The general principle is look out for the major network lock downs. Some 
> times that is overlap with holidays. Other times it is over financial close 
> months.
> 
> My personal $.02 is to avoid major vulnerability disclosures in December, 
> during Lunar New Year weeks, during Ramadan, and June. Some would also 
> include August (Euro holidays).
> 
> But these days there are timers given by the vulnerability finder (or CERT 
> Team) and conference disclosures (security rock stars) that drive the 
> disclosure to a time which is not optimal to the people who have to roll out 
> the remediation. 
> 
> In essence, write a disclose policy, put it on your website, and be open for 
> improvements based on input from your constituents. Do your best. That is all 
> your can do.
> 
> Barry
> 
> PS - Let me know if you need help writing the disclosure policy. 
> 
> 
> 

-- 
Harlan Stenn 
http://networktimefoundation.org - be a member!

Re: Security release scheduling

2015-09-29 Thread Mark Andrews 

In message <560a13e6.7060...@nwtime.org>, Harlan Stenn writes:
> I'm looking for some general "calendar" help to use for our security
> release scheduling process.  Something that usefully accounts for
> clients all over the world.
> 
> By "usefully accounts" I mean that we want to be able to have reasonable
> confidence that we're not going to pick a public release date that is a
> national holiday for one country, and we're also not going to avoid a
> date because it's "let's order pizza" day somewhere else, but the
> purpose of the holiday is obscured because of language translation issues.
> 
> I figure this is something others must have solved, and I'm hoping some
> folks on this list might be able to offer me some pointers.

There's a national holiday basically everyday of the year.

http://www.timeanddate.com/holidays/

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Security release scheduling

2015-09-29 Thread Barry Greene 
> 
> Hi Harlan,

The general principle is look out for the major network lock downs. Some times 
that is overlap with holidays. Other times it is over financial close months.

My personal $.02 is to avoid major vulnerability disclosures in December, 
during Lunar New Year weeks, during Ramadan, and June. Some would also include 
August (Euro holidays).

But these days there are timers given by the vulnerability finder (or CERT 
Team) and conference disclosures (security rock stars) that drive the 
disclosure to a time which is not optimal to the people who have to roll out 
the remediation. 

In essence, write a disclose policy, put it on your website, and be open for 
improvements based on input from your constituents. Do your best. That is all 
your can do.

Barry

PS - Let me know if you need help writing the disclosure policy.

Re: Security release scheduling

2015-09-29 Thread Barry Greene 

> On Sep 29, 2015, at 3:57 PM, Harlan Stenn  wrote:
> 
> Good info, Barry - thanks!
> 
> I appreciate your offer, too!

Here is a brain dump: 
https://www.linkedin.com/pulse/5-principles-vulnerability-disclosure-barry-greene

For the people who are not vendors on the list, the post has some good 
questions to ask your vendors about their vulnerability disclosure processes.