Cross-site scripting and input sanitization problems are the most common vulnerabilities, says O'Neill. "A lot of our big wins where we were able to really compromise applications didn't necessarily involve some of these classic attacks," he adds. A number of high level ORMs that don't accept string SQL can help mitigate this kind of attack.