As a DoD contractor, I focus a lot of my time securing my applications and auditing log files. The OWASP (Open Web Application Security Project) have a top 10 list of vulnerabilities. I'm curious how you mitigate these vulnerabilities in your code.

Here's the top 10:

A1 - Cross Site Scripting (XSS)
A2 - Injection Flaws
A3 - Malicious File Execution
A4 - Insecure Direct Object Reference
A5 - Cross Site Request Forgery (CSRF)
A6 - Information Leakage and Improper Error Handling
A7 - Broken Authentication and Session Management
A8 - Insecure Cryptographic Storage
A9 - Insecure Communications
A10 - Failure to Restrict URL Access

Feel free to discuss or ask what each vulnerability or attack is.

Personally, I use a lot of the built in functions within ColdFusion to prevent most Injection, XSS, and Information Disclosure including the isValid(), HTMLEditFormat(), and cfqueryparam functions. ColdFusion also has a built in Script Protect that scrubs most of the common XSS attacks out of requests.

the first 2 are an issue for any site. Even the M$ site has known injection issues.

number 6 has been known to give access to information which should not be attained on many sites... the errors on malformed calls/scripts revealing too much information on objects or file paths... anyone with a malicious mind can go with this one a long way.

It is rather sad how insecure the code of even the top industries seem to be...

This is because the top industry leaders are more concerned with meeting deadlines than quality.

"hey, I got it out on time, now it's your job to support it"

Microsoft employee - "Hey, I didn't get it out on time *sigh* (again), but it's STILL your job to support it.