Everyone knows about SQL injection and XSS, so why do developers continue to write code with these defects? We’ve performed a study of millions of lines of Java code to understand what leads developers to use unsafe coding practices. We unveil a new open source security escaping library and new coding patterns developers can use to mitigate defects with minimal disruption to their code.