Anecdote

When I left consultancy, I was glad to do it. I was even happier when, six months later, a researcher showed me that by entering the classic SQL-injection command string into my former company’s Web site, you could gain access to all manner of information. Sweet.

But application security is like that! Programmers “think inside the box”—the “what if I don’t bother to visit the login page and go straight to the accounts page” scenario seems to defeat so many of them and make the headlines again and again. ...