Columnist’s corner: It seems like a simple enough question. Should vendors close all security holes? If you’re thinking ‘why, yes, of course they ought to,” then not so fast. Security guru Roger Grimes leans toward a ‘yes,’ but one reader’s response was interesting enough to stir internal debate. This reader, you see, has five main reasons for waiting to close a noncritical, internally discovered vulnerability. Budget, to be certain, is a big one. So is the belief that “when a bug isn’t announced, most hackers don’t exploit it.” True or not, Grimes concedes that our reader does make points cognitive enough to be worthy of consideration. From the Test Center: As they become easier to create, Web services also are getting easier to foul up. With that in mind, Rick Grehan examines tools that claim to verify your Web services do what they’re supposed to do. “These three open-source Web service testing tools require a little more work, and I would recommend them for moderate-to-expert developers, where the learning curve would be only modestly longer than for a commercial product,” he writes. One resides above the others for its lighter framework and Perl roots. “These three tools place themselves along the spectrum from quick and easy to complex and powerful.” Read the full review. Video: This iteration of The Week Ahead with Gina Smith looks at YouTube as a malware hotspot, previews our upcoming SOA Executive Forum, and delves into what Silicon Valley is doing about global warming. Watch it here. The news beat: Microsoft’s general counsel demands royalties for open source software, including Linux, saying that it infringes on 235 of its patents. AMD details its forthcoming ‘Phenom’ quad-core chip for desktops, while the arrival of Intel’s Santa Rosa chip slows notebook sales for April. And SAP buys two Scandinavian companies to gain identity management software and IP-based call center applications. Security