Fortunately, some enterprising companies have built tools that automate the process of finding the buffers and fixing the software. The class of tool is called secure scanning or application scanning, and the effect of such tools could be profound. They will allow CIOs and CSOs to, basically, audit software. They've already become part of the security auditing process, and there's nothing to stop them from becoming part of the application sales process too. Wysopal tells the story of a CSO who brought him a firewall for vulnerability testing and scanning. When a host of serious flaws were found, the customer literally sent the product back to the vendor and, in so many words, said, If you want us to buy this, fix these vulnerabilities. To preserve the sale, the vendor fixed the firewall.

Strong contracts are making software better for everyone. According to @Stake research, vendors should realise that there's an ROI in designing security into software earlier rather than later. But Wysopal believes that's not necessarily the only motivation for companies to improve their code's safety. "I think they also see the liability coming," he says. "I think they see the big companies building it into contracts."

A contract GE signed with software vendor General Magic Incorporated earlier this year has security officers and experts giddy and encouraged by its language (see "Put It in Writing", page 92). In essence it holds General Magic fully accountable for security flaws and dictates that the vendor pay for fixing the flaws.

General Magic officials say they weren't surprised by the language in the contract, but many experts say the company has to be pretty confident in its products to sign off. The effect of the contract, though, is to improve software in general. The vendor must make secure applications - or fix them so they're secure - to conform to its contract with a customer, but that makes the software better for everyone.

Clout is not limited to the Fortune 500. Sure, it's easy for GE to write such a contract, given that GE is part of the Fortune 2. And there's nothing wrong with CIOs benefiting from GE's clout - the corporate equivalent of drafting in auto racing.

But there are other ways to force the issue with vendors for CIOs at companies smaller than GE (which is everyone but Wal-Mart). One can join the Sustainable Computing Consortium at Carnegie Mellon University, and the Internet Security Alliance, formed under the Electronic Industry Alliance. The interest groups help companies of all sizes band together on standardising contract language and best practices for software development.

Some are taking satisfaction in a good old-fashioned boycott, even if they are so small as to escape the vendor's notice. Newnham College at the University of Cambridge in England, with 700 users, recently banned Microsoft's Outlook from use on campus because of the virus problem.

Much of the clout CIOs gain will come from the market evolving. In a sense, the software makers create clout for CIOs by asking them to deploy the product for ever more critical business tasks. At some point, the potential damage an insecure product could inflict will dictate whether it will be purchased.

"Two years ago, the marketing strategy was to just get it out there. And some of the stuff that went out was really insecure," says the anonymous information security officer at a large financial institution. "But now, we just say, applications don't go live without security. It's a sledgehammer."

And it's not a randomly wielded one either. His company has created a formal process to assess vendors' applications and his own company's software development as well. It includes auditing and penetration testing, and the vendors' conforming to overarching security criterion, such as eliminating buffer overflows and so forth. It's not unusual, the security officer says, for his group to spend $US40,000 per quarter testing and breaking a single application.