Web application security (a term often abbreviated to Web app sec) deals with the overall Web application architecture, logic, coding, and content of the Web application. In other words, Web application security isn't about operating system vulnerabilities or the security defects in your commercial products; it's about the vulnerabilities in your own software. As such, it isn't a replacement for existing security practices but rather complements them. Hopefully after reading this chapter you'll have a clear understanding of some Web application vulnerabilities and how the discipline of Web application security is clearly differentiated from what most people typically consider as Web site security. It can help to understand Web app sec by first understanding what it isn't, since the terms Web and application are used broadly in various areas of Internet security. Web application security is not about the following:

• Trojans or viruses Although firewall manufacturers that have learned how to deal with these often describe their products as providing "application security." Although these products do indeed deal with issues at an application level, they're simply talking about the application level of the OSI stack, not your Web application. The difference is quite distinct in reality, although it has been heavily blurred in the marketing. There are very few actual Web application firewalls on the market, and they are all quite specialized devices; if the same firewall vendor you've been using for years claims to have an application firewall, dig into...