The cross-site scripting (XSS) flaw discovered on the website of American Express (see full story http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=212501694) is typical of the sort of the issue I see on a pretty regular basis.
The full disclosure is here: http://holisticinfosec.blogspot.com/2008/12/online-finance-flaw-american-express.html
Conversely, it’s also becoming increasingly difficult to guard against such flaws because code is coming into play from so many different sources to make up increasingly complex web products: you’ve got your own developers writing code and downloading “useful” components to include in the build, maybe a third party developing some further controls, third party CRM systems, connections to various web services and so on. Testing of any web product needs to include the full scope of the system, and that means the third party stuff too.
More fundamentally, wherever you find weak processes, a lack of standards, poorly planned and thought-out testing, and developers being pushed to deliver as many features as possible in as short a time as possible you will also find security flaws. It’s a fact.
How to avoid cross-site scripting flaws is basic stuff. There’s no excuse for it but AMEX, as a result of somebody failing to check that some basic validation processes were used and tested, now find this story about the quality of their online security sprayed all over the Internet.