Many organizations are interested in building web applications for their business but are unaware of the various steps that are needed to build a compelling web application. The choice of the operating system (e.g. Windows, Linux or Solaris) where the web application will run, the web server (e.g. Microsoft IIS, Apache or Tomcat) which will run the web application and the back end database (e.g. Microsoft SQL Server, Oracle, MySQL or Postgres) which stores the data will need to be made.
Some sites do not require more than web designing but many sites nowadays require both web designing and web programming like the multi-tier applications that have presentation layer, the logic layer that interfaces the presentation layer with the database, and the data layer that contains the database.
This can be really hard to catch in code review because there’s nothing in the new code that explicitly talks about sensitive data – the sensitive data just happened to be swept up along with the rest and dumped out into the (relatively speaking) public eye.
The problem is that it’s impossible to be perfect forever when it comes to security, and one day, a developer might write something like “SELECT FROM users WHERE id = 5” and then dump the results directly into JSON to provide data to the AJAX call they just implemented on their new-and-improved profile page.
There are other alternatives like generating and sending tab identifiers to the server to be able to track the separate tabs’ cache, but stopping a user from opening the same Work Unit in more than one tab or window is the route we took with the relevant apps.