Mary Ann Davidson, chief security officer for database giant Oracle, remembers the first time she heard her company\u2019s marketing scheme that advertised its database products as "unbreakable.""I think my response was, \u2018What idiot dreamed this up?" Davidson said Thursday at the W3C conference in Edinburgh, Scotland.If civil engineers built bridges in the same fashion in which software developers write code, people would face the "blue bridge of death" every morning going to work, Davidson said. Software developers, she noted, tend to laugh nervously when they hear the analogy\u2014an insider reference to what programmers call the blank "blue screen of death" on a PC display when Windows fails.But Davidson, who commands a security unit responsible for database applications used by multinational companies and governments, said developers often have a blind eye for security. Hackers are proving ever more capable of taking advantage of poorly written software, and it\u2019s naive for developers to think those holes won\u2019t be exploited, she said."The mentality needs to change," she said.The financial cost of faulty code in software is staggering. The National Institute of Standards and Technology, a U.S. government agency, estimates computer security problems cost between US$22.2 billion to $59.5 billion per year, Davidson said.The problem of insecure software starts with how software developers are taught at universities and goes straight through to systemic vendor attitudes, Davidson said.Software coders at Oracle often need remedial coding education after they are hired since they don\u2019t consider how "evil" input could affect their products such as databases, Davidson said. Universities are not teaching secure coding practices and are reluctant to change their curriculum, she said.Vendors are pressured to move products into the market as quickly as possible, and often lack the tools to build better ones, Davidson said. As a result, software development is reaching a "tipping point" where poor security is a board-level issue.The result of bad code means spiraling patching costs for both clients and companies such as Oracle. Davidson said the record for fixing one defect was 78 patches, which cost the company around US$1 million."I don\u2019t hate protecting our customers\u2014that\u2019s important\u2014but what a waste of resources to try to Band-Aid after the fact something we should have caught earlier," she said.As a result, Oracle has implemented numerous measures to produce better code. Oracle created a 200-page guide on coding standards. An in-house hacking team pokes products for holes in live hacking sessions. Developers up to senior vice presidents must participate in educational Web-based classes."We use our own dumb-ass mistakes as examples," Davidson said. "Because if you don\u2019t do that, developers think this is an academic argument."The company uses new in-house tools to look for buffer overflow vulnerabilities and SQL injection attacks. It also employs software from Fortify Software to scan for problems in Oracle\u2019s 30 million lines of code, she said.The environment around security is getting better, she said. A few years ago, books on security were scarce. But the implications of poor security\u2014and an entrenched attitude that frequent patching is acceptable\u2014are too costly."My goal," Davidson said, "is to be out of a job."-Jeremy Kirk, IDG News ServiceCheck out our CIO News Alerts and Tech Informer pages for more updated news coverage.