Imagine you're the CEO of a Web 2.0 startup working on the Next Big Thing. Your product is ready for release, but you have the choice of paying a security team a lot of money to spend 3 months kicking the tyres to find (most of) the security holes. You're going to pay the money and hold off aren't you, since security is "Job #1"? Yeah, right!

Users can't see security - except when it gets in the way or (ultimately) when it fails. And first to market trumps other concerns.

Wrapping insecure code with endless layers of sticking-plaster patches doesn't work and only introduces more holes. The only way to get a truly secure product is to design security in from the ground up. But that's tough to do, adds costs, diminishes the user experience and (worst of all) delays development. And that's why we have insecure software and (until something changes fundamentally) always will have.

"The only way to get a truly secure product is to design security in from the ground up."

Actually, in the Next Big Thing, insecurity is designed out to get a truly secure product. IT is AI Way.

From http://noscript.net/features#xss :

"While Cross-Site Scripting (XSS) vulnerabilities need to be fixed by the web developers, users can finally do something to protect themselves:

NoScript is the only effective defense available to "web-consumers", waiting for "web-providers" to clean up their mess."

This GMail XSS flaw is just the tip of an iceberg, check http://xssed.org/pagerank