Beautiful security in software requires a fundamentally different business model from that which exists today. In fact, the current state of security in commercial software is rather distasteful, marked by embarrassing public reports of vulnerabilities and actual attacks, scrambling among developers to fix and release patches, and continual exhortations to customers to perform rudimentary checks and maintenance.

The solution is to embrace customer requirements for security controls in commercial software development. The business model for commercial software development firms has evolved to meet explicit customer requirements, but not implicit requirements, such as security. History has clearly shown that software providers are very good at delivering core functionality to meet customers’ time-to-market needs. But removing security vulnerabilities has never before been an explicit requirement. Is it possible to add it to the requirements model in a way that benefits both customers and software providers?

This chapter is a story of one firm’s pursuit to change the conventional model for acquiring and developing software. The ending of the story is not yet written, but the journey to this point may benefit other organizations interested in improving their resistance to software security exploits.