ABSTRACT
Performing an internal code walkthrough during the
design phase, discovering a vulnerability, making a few
changes to a few lines of code and updating the documen-
tation (if that is even necessary) could take as little as a few
minutes. Having the help desk field calls from concerned
customers who believe that there is a security vulnerability,
logging the issue into a database, having a quality assur-
ance associate duplicate the problem, opening up the code,
reviewing the code, updating the code, updating the doc-
umentation, packaging the update, maintaining the new
version, shipping it out, and then fielding calls from cus-
tomers wondering why the patch just disabled some other
application will cost a lot more. In today’s environment, it
is not a matter of if the costs will be incurred; it is a matter
of when and how much. Nobody can argue money can be
saved by fixing an undocumented feature (a software bug)
or vulnerability after the first vulnerability is detected and
the product is already in the hands of the customers.