People often believe that if a developer is capable of creating clean, functional code that they will by default be writing secure code. Unfortunately, this is not always the case.

Security vulnerabilities can result from poor code, functional bugs can be security bugs too, but the trickiest security issues result from code that does more than you expect.. The application may test all of its functional tests but in addition it may have additional unintended functionality that can result in a vulnerability. For instance, a web site with a SQL Injection vulnerability could work perfectly well for a normal user and then work a little too well for a malicious user! It's important to think of abuse cases, not just use cases. Consider what are threats to this application? How would an attacker visualize (and subsequently attack) it? How do I code defensively against these threats?