The previous Communications Security column (January 2023), by Fabio Massacci and Giorgio di Tizio,9 used an evaluation of data about "Advanced Persistent Threats" (APTs) to defend the proposition that rapid deployment of security updates is largely ineffective and probably unnecessary as a security measure for most organizations. The data and analysis supporting those claims are drawn from the authors' longer paper in the IEEE Transactions on Software Engineering.2 The authors also claim security updating would be entirely unnecessary if software vendors and development organizations could be held liable for the consequences of any security vulnerabilities included in their products.
We believe the authors reported on research that is challenging and has received little rigorous analysis over the years. The paper and column raise questions that are relevant and difficult to answer quantitatively. However, given the current state of security updating and secure development, we found the column could be read as advocating and justifying decisions that would increase real-world risk to IT systems. This column addresses these issues by reviewing the definition and application of the term APT, the authors' data and position on updating, and advocates a different path before a discussion of liability.