[bearer_token]

Security issues, like other emergent system properties, can arise at any layer of the stack.

While code level issues should absolutely be a focus in the SDLC, it's common to find security issues crop up from:

* Hardware, kernel, OS, package, and library vulnerabilities

* Component integration / API contract misunderstandings

* Transitive trust between services and third parties

* Accumulation of access over time

* Demos, hotfixes, and workarounds that are somehow now mission critical

[AmericanChopper]

Even poorly designed business rules create huge number of security issues. The whole stack could be perfectly bug-free and you’d still get those.

[AnimalMuppet]

It can get worse. How about deliberately designed features that are security bugs? I'm looking at Microsoft's "sure, we'll execute any email attachment that the user clicks on, because that's more convenient!". Implementation language wasn't going to save you there...

[hnick]

Credit card numbers as customer identifiers on printed and emailed documents? Seen it.

[throwawaybbb]

That can be summarized as: unexpected interaction between independently secure parts.

Just because you've written secure components in a safe language doesn't mean you don't have security issues when you run them together.