This site graciously hosted
by our friends at


7 May 2003

In a recent interview (, Microsoft's Craig Fiebig claims that applying security patches to software is the most expensive security measure for an enterprise to handle, and that keeping anti-virus signatures up to date is the least. According to the article, he further asserts that if companies were to do both, then the majority of security problems would be eliminated.

Indeed, patching applications is costly, both for the vendor and for the consumers. And, keeping up with those patches would go a long way in making the Internet more secure. However, the article misses some major points on the issue, including the following:

- We consumers are baraged with dozens upon dozens of security patches. Even if the patches did a perfect job at eliminating their respective vulnerabilities, it would be a daunting task to keep up with them in many environments. (In others, like for example the financial or pharmaceutical world where rigid configuration management processes are required by law, it is downright not feasible.) Add in the fact that occasionally the patches cause operability problems with the software, and it is no wonder that the IT world gets burned every few months by a Code Red, Nimda, or other piece of malicious software.

- Conventional anti-virus software is quite often defenseless against new malicious software. Anti-virus software that simply looks for static signature matches against a database of known viruses, trojans horses, etc., wouldn't stand a chance of detecting a brand new piece of malicious code.

Blaming the systems administrators for not patching their installed software is simply not sufficient. Patching software is just one piece of a much bigger puzzle. Another is that software producers need to do a better job at producing quality code. Producing high quality, secure software does not happen by accident. It is the result of a methodical engineering process that starts with sound architectural principles to build a robust design that can then be expertly implemented into a reliable, mature product. Each phase of that process should include thorough tests and reviews, so that we can rid the world of dreaded software flaws such as "buffer overflows" -- by far the most commonly patched security vulnerability in today's software.

In our book, Secure Coding: Principles and Practices (O'Reilly & Associates, June 2003), my co-author and I lay the foundation for helping software developers understand how to go about the process of producing secure code. In doing so, we take the reader through a typical design methodology and illustrate the things that he should be paying attention to regarding security at each step, from architecture through the operation of the product. See for more information.

--- Kenneth R. van Wyk (

Copyright (C) 2003, Kenneth R. van Wyk. Permission granted to reproduce and distribute in entirety with credit to author.

Site Contents Copyright (C) 2002, 2003 Mark G. Graff and Kenneth R. van Wyk. All Rights Reserved.