Adam Baldwin (@adam_baldwin), cofounder and "Chief Pwning Officer" at nGenuity and operator of a very groovy site called EvilPacket, was kind enough to drop by PNNL to give a presentation about web security.
He presented on Distributed Version Control System (DVCS) vulnerabilities; systems like Git and Mercurial. The core problem seems to be all these hosts unwittingly turning their web servers into public file servers for their revision control system. This allows you to directly download or recreate code and non-code files.
Most of his vulnerabilities are built on the fact that the repo's content was being served up publicly instead of being locked down. Additionally, the repo was being used to store information, such as customer transactions, that do not belong in source control.
I personally have tried out Heroku, a web host that accepts deployments via Git integration, and find the experience of using DVCS pleasant and appealing. I would like to see the approach become the new normal, despite the vulnerabilities Adam pointed out. I wish I had it at work.
Adam, having used up his content, went on to show his best demo: hacking his own bank account using cross-site request forgery. I had seen the demo at DocType; however, seeing it again months later and having him say "it's still now fixed!" was distressing.
Perhaps his biggest takeway from his presentation is that security is an artifact of culture more so than tools and techniques. If the owner and operator is responsibility and responsive, the system will have good integrity. If they are apathetic, then the system will reflect that. There is no way to mend every hole in your fence and the bad guys only need one to get through. The first step is to understand looking for holes and mending them matters and Adam's prescribed next step, which he really didn't detail, is about having a plan for when someone does get through.