We used to have simple web sites. The web server sent HTML to the browser which displayed it. This was a "brochureware" site; designed for marketing or advertising. There was no business data anywhere near the web site.

Now we no longer have web sites, we have web applications; and soon, web services. Web applications reside on multiple systems in distributed architectures, using sophisticated programming languages. Corporate and customer data has been moved to the computing edge. The edge has been extended to mobile phones, PDAs, mobile sales force systems, inventory management systems, etc.

Web applications invite public access to an organisation's most sensitive data. Customer information, transaction information and even proprietary corporate data can be accessed through web applications.

Access to the application must be allowed by firewalls and access control lists, otherwise the application won't work. This inherent trust is precisely what hackers attempt to exploit.

We secure our web sites by hardening and protecting the servers and restricting access from the outside. However, the web application has to be accessible to the public. The web application itself contains many vulnerabilities that may be exploited. Traditional perimeter security cannot help secure the application, since application vulnerabilities are exploited over HTTP.


Web applications breach the perimeter and provide direct access to customer and business data on backend databases.

Recent incidents include a hacker gaining access to more than five million Visa and Mastercard accounts in February 2003; the Record Industry Association of America hacked seven times in six months; a vulnerability at Tower Records allowing anyone to view the customer orders database in December 2002; and Ziff Davis paying $500 to its customers after lax security exposed personal data of thousands of subscribers.

The Problem

The problem is that, by and large, security professionals don't understand web applications, whilst frequently application developers don't know security. It's an old story in new clothes. Even when web application audits are required, the lack of effective tools has made them impractical. Frequently security is entirely absent from the application development cycle. Security departments scrutinise the desktop, the network, even the web servers, but the web application escapes examination.

Web application vulnerabilities occur for many reasons. Of primary concern is the focus on functionality at the expense of security. The lack of security awareness and any form of audit during the development cycle is a serious handicap. Even in development teams that are security-aware, there has been a lack of effective testing tools, as well as severe resource limitations prohibiting code reviews.

The bottom line is that development creates functionality and QA tests that functionality. Security is missing entirely.

The Vulnerabilities