There is an industry effort to define a "watch list" for common mistakes that lead to security flaws. Co-led by the folks behind the Common Weakness Enumeration at MITRE and the SANS Institute, the SANS Top 25 (full listing here) is being used as a requirements document for the security of purchased applications by the State of New York, among others.

It's not perfect--it omits backdoors and other intentional security flaws, among other categories--but it's better than nothing, by a long shot.

Disclaimer: I work at Veracode and was a co-author of the report that the original article was about.

We scan selected open source projects on a pro bono basis and reach out to the project teams to share the findings with them.

Disclaimer: I work for Veracode and was a coauthor of the report.

If you take a look at the full report (registration required), you'll see that the application pool from which the report was drawn was 47% Java, 31% C/C++ (on Windows, Red Hat Linux, and Solaris), and 22% .NET. Other data is provided (industry, supplier type) to help frame the terms of the application pool from which the data was drawn. We acknowledge the inherent selection bias (the applications in the report come from our customers) in the methodology section.

Disclaimer: I work for Veracode and was a co-author of the report.

You can check out the full report online from the Veracode.com website (requires registration).

We disclose the sample size in the appendix (1591 applications).

You can test the quality of code you are developing yourself with a simple source code scanner, but testing third party code is a little more challenging. I don't know too many significant applications that are entirely created in house, with no dependency on third party libraries.

Disclaimer: I work for Veracode and was a coauthor of the study.