"This happens because it [software] is complicated," said Rocky Heckman, senior security architect at Microsoft, explaining that software has a tendency to do unintended and undesirable things.
The five common flaws he sees involve cross-site scripting (XSS), SQL injection, buffer overflows, canonicalisation, and cross-site request forgeries (XSRF).
There are established ways of avoiding these issues, including input validation, stored SQL procedures, managed code, and encrypted unique session IDs, so why do they keep appearing?
"Big organisations are like the Titanic - difficult to turn around," Heckman told iTWire. A general reluctance to touch old code contributes to the problem.
Training is the key - see page 2.
While elements of Microsoft's Secure Development Lifecycle do have a time impact on projects, they do get you to a better place, said Heckman. Developers at Microsoft say that if their peers can only make one change, it should be to carry out threat modelling.
"The best thing you can do for your developers is training," he said, observing that those who have received training in secure development don't make as many mistakes as those that haven't - though you would hope that was the case.