New Software Lifecycle Policy Reduces TCO and Vulnerabilities
As one of several efforts to reduce platform TCO, Magento has announced a shift in policy. Previously supported versions (2.3.x) will get security-only quarterly releases. This means that the current mainline versions (2.4.x) will be the only ones to receive new features, quality improvements AND security fixes with each quarterly release. By packaging security fixes only, Magento is significantly reducing the effort and risk for the quarterly upgrade process, making it cheaper for security-conscious merchants to stay secure.
The average cost of a data breach is $3.86 million, and 82% of eCommerce stores that had malware were running an unsupported version. Magento’s new approach of doing security-only quarterly releases makes it easier for merchants to reduce their vulnerability.
Your choices:
- Want to maintain the security of your site and have lower upgrade costs? Then stay on the 2.3.x branch while it is supported. General bug fixes for the 2.3.x branch will be made available via the Quality Patches Tool where merchants can opt-in for installations as needed.
- Want to take advantage of new features? Move to the 2.4.x branch.
More information on the new policy is available from Magento here.
Not Much In Terms of New Functionality … which is a good thing
This close to the 2020 holiday period, a large release would be difficult for merchants who need to guarantee site stability during peak season. What this release does give us is hundreds of quality improvements and more than 15 security fixes.
Security Vulnerabilities Addressed
We’ve seen recent brute force attempts on credit card forms across a range of sites. Magento is addressing this major problem in this release through the inclusion of CAPTCHA on all payment related APIs.
This new feature allows for rate limiting and then CAPTCHA requirements through the checkout process to stop those bot attacks trying to guess credit card numbers and placing fraudulent orders. The good news is that this feature is also being made available to 2.3.6.
We are also seeing two critical security vulnerabilities being addressed with the release of 2.4.1 and 2.3.6 (also addressed in 2.4.0-p1). These are ranked by Adobe as Priority 2, meaning merchants should have these updates in place within 30 days to ensure their site is both compliant and secure, especially heading in to the holiday period.
Information on the vulnerabilities can be found on the Adobe Security Bulletin here.
Site-Wide Analysis Tool and Reporting
The Site-Wide Analysis Tool has been in the works for 12+ months. It will make its debut in 2.4.1. via the Magento Admin panel. This tool provides insights into the overall health of your Magento site and monitors the infrastructure and application stacks to highlight poor configuration, outdated services or extensions and general opportunities for improvement.
Currently this tool is only available for Magento Commerce customers but stay tuned next year for on-premise support.
A Crystal Ball for 2021
With the new policy in place, 2021 is shaping up to offer far simpler upgrades, allowing merchants to focus on other site improvements. Mark your calendar:
February: Minor update to Magento 2.4.2 (with feature, quality and security improvements).
May: Security-only release.
August: Minor update to Magento 2.4.3 (with feature, quality and security improvements). So you’ll have plenty of time to apply the update prior to the 2021 holiday period and focus on security-only patches in October.
October: Security-only release.
Release schedule – https://devdocs.magento.com/release/
Note: exact dates are subject to change.
