Secure in 2010? Broken in 2011!

In 2010, a security research firm stumbled on a couple of vulnerabilities in Apache OFBiz, a widely used open source enterprise automation software project. As a proof of concept, it posted a video showing how easy it was to become an administrator exploiting one of the XSS issues in the application. To remain credible, the OFBiz team was forced to invest in security. In fact, as a result of digging into its bug database, the OFBiz team gathered security knowledge from different sources to make its product better, and made a big push to resolve the known issues in early 2010. Barely a year later, the exact same code base thought to be secure is again seriously broken. This scenario actually occurs quite frequently for several reasons.