We received several reports today of a high profile software vendor's website that had a directory traversal bug in a specific script.  And while it is fun to find these still in existence in 2007, it's probably more likely that new code was introduced or existing code was modified without the security auditors looking at it.

So how good is your change management process when it comes to code that has been security reviewed?  In most cases, reviewing the changes is just as important as performing the code audit in the first place.