I know there's a long academic literature on the question of "do programmers make similar mistakes." Has that work been extended to security? Do programmers make the same sorts of security mistakes when writing similar programs?

@adamshostack

They don't think about how the system can be attacked.

That requires careful thought, which takes time.

Manglement just wants deliverables.

@adamshostack humans are creatures of habit. Of course they make the same sorts of mistakes, until they make the effort to change the habit.

@adamshostack Obviously, since we still have directory traversal and SQL injection vulnerabilities in 2025.

@bontchev @adamshostack My favorite example: programmers are taught to use prepared statements, so at first it seems their app doesn't have any SQLi's. Until they add a feature where the user controls result set ordering: you can't use bound variables for field names, so there's a vuln 90% of the time (IME, with wildly different dev teams).