[raducu]

I work as a contractor for a bank and while investigating a small security issue reported by a third-party audit firm, we discovered that the clever, bytecode-weaving-autogenerated-declarative security had been overriden by someone who added his own, equaly fancy security module directly in a parent project.

I cannot describe the shock when I realized what information an attacker could have gained in a window of 6 months the bug was active.

All of this code was written by experienced programmers, it's just that nobody ever wrote any tests to ensure the fancy security code was still in place.