The problem in web application security is everyone so blindly and exclusively talks about ???best practices??? like the SDLC, input validation, threat modeling, PCI compliance, source code reviews, scanners, developer education, WAFs, and other topics.