Microsoft also faces an extremely skeptical community of CSOs andother security watchdogs. Don O'Neill, executive vice president forthe Center for National Software Studies, says, "When it comes totrustworthy software products, Microsoft has forfeited the right tolook us in the face."

So let's end where conversations about application security usuallybegin: Microsoft.

Richardson's reaction to Gates's memo was not much different thananyone else's. "I wondered how much of this was a marketing issuecompared with a real consumer issue," she says.

The memo has become a reference point in the evolution of applicationsecurity - the event cited as the start of the current sea change. Intruth, the tides were turning for a year or more, and if a date mustbe given, it would be Sept. 18, 2001, one week after 9/11 and the daythat the Nimda virus hit. Microsoft's entering the fray - as it didwith the Internet in 1995, also via a memo - is more an indication thatthe latecomers have arrived, a sort of cultural quorum call.

It was, "We're all here so let's get started," the beginning of theera of application security as a real discipline, and not an oxymoron.