What Really Makes a Web Application Secure?