Not to waste too much bandwidth but...

I am developing a simple internal web app for my client and was wondering how secure it was. I asked the security guru's to run the battery of tests against the app looking for the typical vulnerabilities (cross site scripting, sql injection ,etc...). When they ran it the only problems were in cross site script injection into my selection (pick lists) inputs. I was validating other input but I wasn't validating the selections (my bad). I hadn't done that because I was providing the selection options via reference data. Anyway, makes sense (from the domain perspective) so I added a basic validation for the selection entries too. When the tools were re-run, everything passes! ACEGI + Spring MVC is pretty iron clad. I 'm quite sure a home-grown security/Struts based app wouldn't have fared so well. More than a few heads turned when the results came out. :shock:

Kudos to the developers/contributors of these two fine frameworks!