The only thing more shocking than the fact that Kawasaki's iconoclasmpasses as wisdom isthat executives have spent billions of dollars endorsing it. They'veinvested - and reinvested - in software built to be revolutionary andnot necessarily good. And when those products fail, or break, or allowbad guys in, the blame finds its way everywhere except to where itshould go: on flawed products and the vendors that create them.

"We've developed a culture in which we don't expect software to workwell, where it's OK for the marketplace to pay to serve as betatesters for software," says Steve Cross, director and CEO of theSoftware Engineering Institute (SEI) at Carnege Mellon University. "Wejust don't apply the same demands that we do from other engineeredartifacts. We pay for Windows the same as we would a toaster, and weexpect the toaster to work every time. But if Windows crashes, well,that's just how it is."

Application security - until now an oxymoron of the highest order, like"jumbo shrimp" - is why we're starting here, where we usually end.Because it's finally changing.

A complex set of factors is conspiring to create a cultural shift awayfrom the defeatist tolerance of "that's just how it is" toward a newera of empowerment. Not only can software get better, it must getbetter, say executives. They wonder, Why is software so insecure? andthen, What are we doing about it?

In fact, there's good news when it comes to application security, butit's not the good news you might expect. In fact, application securityis changing for the better in a far more fundamental and profound way.Observers invoke the automotive industry's quality wake-up call in the'70s. One security expert summed up the quiet revolution with a giddy,"It's happening. It's finally happening."