Fortunately, some enterprising companies have built tools thatautomate the process of finding the buffers and fixing the software.The class of tool is called secure scanning or application scanning,and the effect of such tools could be profound. They will allow CSOsto, basically, audit software. They've already become part of thesecurity auditing process, and there's nothing to stop them frombecoming part of the application sales process too. Wysopal tells thestory of a CSO who brought him a firewall for vulnerability testingand scanning. When a host of serious flaws were found, the customerliterally sent the product back to the vendor and, in so many words,said, If you want us to buy this, fix these vulnerabilities. Topreserve the sale, the vendor fixed the firewall.

Strong contracts are making software better for everyone. According to@Stake research, vendors should realize that there's an ROI indesigning security into software earlier rather than later. ButWysopal believes that's not necessarily the only motivation forcompanies to improve their code's safety. "I think they also see theliability coming," he says. "I think they see the big companiesbuilding it into contracts."