Mary Ann Davidson, CSO at OracleOracle, claims that now "no one is askingfor features; they want information assurance. They're asking us howwe secure our code." Adds Scott Charney, chief security strategist atMicrosoft, "Suddenly, executives are saying, We're no longer justgenerically concerned about security." Alles zu Oracle auf CIO.de

So What Are We Doing About It?

Specifically, all this concern has led to the empowerment of everyonewho uses software, and now they're pushing for some real applicationsecurity. Here are the reasons why.

Vendors have no excuse for not fixing their software becauseit's not technically difficult to do. For anyone who bothersto look, the numbers are overwhelming: 90 percent of hackerstend to target known flaws in software. And 95 percent ofthose attacks, according to SEI's Cross, among othersexperts, exploit one of only seven types of flaws. So if youcan take care of the most common types of flaws in a pieceof software, you can stop the lion's share of thoseattacks. In fact, if you eliminate the most common securityhole of all - the dreaded buffer overflow - Cross says you'llscotch nearly 60 percent of the problem right there.

"It frustrates me," says Cross. "It was kind of chilling when werealized half-a-dozen vulnerabilities were causing most of theproblems. And it's not complex stuff either. You can teach anyfreshman compsci student to do it. If the public understood that,there would be an outcry."