ABSTRACT

Performing an internal code walkthrough during the

design phase, discovering a vulnerability, making a few

changes to a few lines of code and updating the documen-

tation (if that is even necessary) could take as little as a few

minutes. Having the help desk field calls from concerned

customers who believe that there is a security vulnerability,

logging the issue into a database, having a quality assur-

ance associate duplicate the problem, opening up the code,

reviewing the code, updating the code, updating the doc-

umentation, packaging the update, maintaining the new

version, shipping it out, and then fielding calls from cus-

tomers wondering why the patch just disabled some other

application will cost a lot more. In today’s environment, it

is not a matter of if the costs will be incurred; it is a matter

of when and how much. Nobody can argue money can be

saved by fixing an undocumented feature (a software bug)

or vulnerability after the first vulnerability is detected and

the product is already in the hands of the customers.