"The biggest thing I've seen is that security moved from an ad hoc, piecemeal approach—bug hunting—to something well-defined that's part of an overall process," Webroot's Leblanc said. "It's something a lot of companies need to emulate."

Given the events of the last six years, security experts say that what once was unthinkable may someday come to pass: hackers turning their attention from Microsoft to easier pickings in the software of other companies.

Database and enterprise software giant Oracle often comes up in discussions of other likely targets.

Researchers liken Oracle in 2005 to the Microsoft of 1999: a major software vendor with big ambitions, a huge, complicated product, a dearth of security expertise and an attitude problem.

"I remember sitting down with our research guys one night with Oracle and we found about five different flaws right away, and then just gave up," Maiffret said. "It was like, what's the point."

Vulnerabilities exist in all software, but Oracle's response to eEye's reports is sending up red flags.

"It's like Microsoft five years ago. The technical expertise isn't there. You tell them it's a buffer overflow, and have to completely draw it out for them, or they try to argue that it's not a [security] problem, it's just a crash," he said.

Litchfield of NGSS recently published an open letter on the Bugtraq security discussion list that excoriated Oracle for its slow and shoddy software patching procedures, which he said left the company's customers vulnerable to attack and gave them a false sense of security.

Oracle's October quarterly CPU (Critical Patch Update) addressed some of Litchfield's earlier criticisms and does a better job of fixing security holes in the company's database software.

For example, the latest CPU fixes not only reported holes in the company's products, but also similar holes in other areas of the code, Litchfield said. However, that change in practice only brings Oracle to the point where vendors such as Microsoft were three or four years ago.

The story isn't much better at vendors like Apple Computer Inc. and Hewlett-Packard Co., not to mention the banks, retailers and other large corporations that write and use their own software, McGraw of Cigital said.

"The biggest hurdle is that developers don't know diddly about security," McGraw said.

Ironically, he said, the lack of knowledge and training about security is especially chronic among the older and more experienced developers who came of age before the Internet and application security were high priorities, and who are often project managers with oversight of major software development projects.

"The more experienced they are the less they know and the less time they have to learn," McGraw said.

Microsoft's development process and procedures are unique, and uniquely suited to a mammoth software development shop. However, companies that want to make their software more secure will have to take many of the same steps as Microsoft to turn their ship around, McGraw said.

"You've got to train your [developers], build a knowledge base, do analysis on existing products and fix them," he said.

Even more importantly, companies have to get buy-in from the highest levels of management to make security a top priority, as Gates's Trustworthy Computing memo did at Microsoft, McGraw said.

"There were a lot of cynics who said that Microsoft is posturing, but the company has put its money where its mouth is and made slow, torturous progress," he said.

This article was originally published on eWEEK.com.