Today, attacks on web-based systems hardly target weaknesses in network protocols anymore but rather flaws in applications. Many of the spectacular security breaches in recent years, such as the one on the Sony PlayStation Network, took advantage of programming defects in web applications. The defects are rarely exotic and can be grouped into just a few categories; for example, the Sony hack succeeded with an SQL injection.

Modern operating systems do provide elaborate protective measures against vulnerabilities, such as address space layout randomization, but savvy attackers can circumvent these protections with a few tricks. The only real solution is to develop web applications without security vulnerabilities. Systematically avoiding programming defects is therefore the noble aim of any serious software quality management.

Secure programming begins long before the first line of code is written: In the design phase, developers should consider which safety issues could arise, which safety requirements are necessary, and under what conditions the software will be used. By then, at the latest, the project should specify coding standards so that tests and code reviews all speak the same language.

[...]