Home » Data Protection » Application Security

Patching Software: The Big Fix

Insecure software is forcing vendors to do what they've never done before: make good software

A year and several hundred million dollars later, it's still not clear if the two-day security training for Microsoft's developers is giving them a fish, or teaching them to fish. Richardson seems to believe the latter. She says the training starts with "religion, apple pie and how-we-have-to-save-America speeches." And, she says, it includes at least one tough lesson: "You can't design secure code by accident. You can't just start designing and think, Oh, I'll make this secure now. You have to change the ethos of your design and development process. To me, the change has been dramatic and instant."

To Microsoft customers, it's a more muted reaction. Since Gates's proclamation, gaping security holes have been found in Internet Information Server 5.0, reminding the world that legacy code will live on. Even the company's gaming console, Xbox, was crackedindicating the pervasiveness of the insecure development ethos and how hard it will be to change.

Microsoft also faces an extremely skeptical community of CSOs and other security watchdogs. Don O'Neill, executive vice president for the Center for National Software Studies, says, "When it comes to trustworthy software products, Microsoft has forfeited the right to look us in the face."

So let's end where conversations about application security usually begin: Microsoft.

Richardson's reaction to Gates's memo was not much different than anyone else's. "I wondered how much of this was a marketing issue compared with a real consumer issue," she says.

The memo has become a reference point in the evolution of application securitythe event cited as the start of the current sea change. In truth, the tides were turning for a year or more, and if a date must be given, it would be Sept. 18, 2001, one week after 9/11 and the day that the Nimda virus hit. Microsoft's entering the frayas it did with the Internet in 1995, also via a memois more an indication that the latecomers have arrived, a sort of cultural quorum call.

It was, "We're all here so let's get started," the beginning of the era of application security as a real discipline, and not an oxymoron.