At the bank, the security officer says, is a running list of vendorsthat are "certified" - that is, they've successfully met theapplication security criteria by going through the formal process. Thelist is incentive for vendors to clean up their code, because ifthey're certified, they have an advantage over those that aren't thenext time they want to sell software. Vendors, he says, "have eithergone broke trying to satisfy our criteria, or they run through theoperation pretty well. A few see what we demand and just run away. Butthere doesn't seem to be any middle ground."

The government is taking an active role. The image of the governmentin security is that of a clumsy organization tripping over its own redtape. But right now, at least in terms of application security, thegovernment is a driving force, and the government's efforts to improvesoftware are making a joke of the private sector.

In fact, no industry has been more effective in the past year atpushing vendors into security or using its clout (often, that comes inthe form of regulation) to effect change.