Past year I have been to several Joomla!days and open source events. During these events one of the topics that's comes back every time is Joomla! security. Looking at reports on the web and reports of security problems you can say that web security in general is an issue. A lot of reports about security related topics can be found in our forum and public reports and there can be no doubt that security is also something to care about when using Joomla!

In this blog I don't want to discuss if Joomla! is safe or not. The question on this answer depends on the pre-cautions you have taken to create a safe server and a safe Joomla! installation. If you are interested in a pretty good tutorial I advise you to take a look at the Joomla! security checklist. Considering your site has been set up properly and all pre-cautions have been taken to make it safe, what is the best practice to keep your site up to date? I had a long discussion with someone at the Swiss Joomla!day about the logic he used to update. He waited for quite a while (two months if I recall) to wait if any problems where reported with the update. Although I can imagine circumstances that you are not eager to be an early adopter, this can be quite a risky strategy when for example a high level security thread of the Joomla! core code or updates of extensions you use are released.

It's fairly impossible to give a checklist that you can use in your situation as the update process can be quite a challenge when you have a very complex site with a lot of extensions that have close integration. It is important to realize that during maintenance releases we won't change the API of the CMS/Application Framework and that we strive to be fully backward compatible with previous maintenance versions. Maintenance releases strive to stability, small enhancements, bug -and security fixes and limited new features (a full description of the Version Strategy and the release versioning is available in the documentation wiki).

Is there a general rule of thumb when maintenance releases are being releases? Again, there is no good answer. Let's start with some scenario's. When a maintenance version is released that contains a major security issue (like Joomla! 1.5.7) I advise you to be on very high alert, and upgrade your site as soon as you can. This also is the case when a high level security patch is released for one of the extensions you use on your site.
When there is a normal maintenance release (like 1.5.8) I also suggest to upgrade as soon as possible. The newest version of the software holds bug fixes and most likely also fixes for (minor) security. To make things go as smooth as possible I suggest you always test the upgrade on a test environment. This also is a good practice when you have found a new extension you want to use. You will be surprised how many people expect the update or extension to be good without testing it.

I normally implement maintenance versions as soon as possible, and 99 out of the 100 times this goes without any problem. People stating that they just wait for 1.5.7 or 1.5.8 to have proven to be good is a BAD practice. A lot of time is spend by me to validate the extensions I use, if they are not using the 1.5 API properly and not actively maintained I simply won't use them. Extensions that also use obscure hacks (or legacy mode) to make things work are also not used by me. But beside the fact I trust the patches created by the Joomla! Bug Squad and Development team, I always do a test on a separate environment before I implement it on the live site...but not after we have made a proper backup of the live site. The update logic will be an interesting challenge for the update logic that is being build within the upcoming Joomla! 1.6.