According to at least one expert, Microsoft’s newly launched Windows Vista is full of security holes. Plus ça change. But if web-enabled operating systems or applications could ever be made watertight, would they actually be a good thing for either developers or users of enterprise software?

Kapersky Lab’s virus analyst Alisa Shevchenko recently praised Microsoft for taking a closer look at security, and appeared certain that Vista’s developers made “a concerted effort to integrate protection against cyber threats” within the operating system.

That seems a fair assumption to make, given the vast array of programming talent at Microsoft’s disposal. However, even if Microsoft has done its level best, that is no guarantee that Vista will not be plagued by the same level of web-borne threats as XP.

It has often been suggested that application developers themselves should take responsibility for ensuring software security, rather than leaving it to third-party add-ons to fill in the gaps. There have even been calls for software companies to shoulder the burden of compensation should enterprise customers suffer data loss, outages or other revenue-sapping catastrophes as a result of hackers breaking into their systems because of vulnerable software defences.

This is partly the reason behind development tools like those being offered by Borland and Cenzic, which are designed to identify and fix vulnerabilities in source code before final versions of software are released.

But vulnerability checking within web applications can only go so far – it can never deliver a completely safe end-product that is immune to the ravages of everything the hacker community can throw at it. Any aspiring cyber terrorist needs something to shoot at before figuring out the best way to take aim, so it remains impossible for programmers to anticipate every form of attack that might ever be directed at their application.

Perhaps more importantly, stronger security always seems to come at the expense of usability, with productivity constantly being hampered by pop-up windows warning of potential threats and asking what the user would like to do.

The ability to eliminate software vulnerabilities prior to release could have another, more catastrophic affect on the development community. Many programmers rely on work writing patches and bug fixes to make a living – if the day finally comes when this skill is no longer needed, they may well have to start looking for alternative sources of work.