Patches are like ridiculously complex tourniquets. They are theterrible price everyone - vendors and CSOs alike - pays for 30 years ofinsecure application development. And they are expensive. Davidson atOracle estimates that one patch the company released cost Oracle $1million. Charney won't estimate. But what's clear is that theeconomics of patching is quickly getting out of hand, and the vendorsappear to be motivated to ameliorate the problem.

At Microsoft, it starts with security training, required for allMicrosoft programmers as a result of Gates's memo. Michael Howard,coauthor of Writing Secure Code, and Steve Lipner, manager ofMicrosoft's security center (Patch Central), are running the effort tomake Microsoft software more secure.

The training establishes new processes (coding through defense indepth, that is, writing your piece of code as if everything aroundyour code will fail). It sets new rules (security goals now go inrequirements documents at Microsoft; insecure drivers are summarilyremoved from programs, a practice that Richardson says would have beenheresy not long ago). And it creates a framework for introducingMicrosoft teams to the concept of managed code (essentially, reusablecode that comes with guarantees about its integrity).

A year and several hundred million dollars later, it's still not clearif the two-day security training for Microsoft's developers is givingthem a fish, or teaching them to fish. Richardson seems to believe thelatter. She says the training starts with "religion, apple pie andhow-we-have-to-save-America speeches." And, she says, it includes atleast one tough lesson: "You can't design secure code by accident. Youcan't just start designing and think, Oh, I'll make this secure now.You have to change the ethos of your design and development process.To me, the change has been dramatic and instant."

To Microsoft customers, it's a more muted reaction. Since Gates'sproclamation, gaping security holes have been found in InternetInformation Server 5.0, reminding the world that legacy code will liveon. Even the company's gaming console, Xbox, was cracked - indicatingthe pervasiveness of the insecure development ethos and how hard itwill be to change.