The differences between Web application vulnerabilities and known/server vulnerabilities deserve further discussion. When people talk about vulnerabilities (and vulnerability assessments in particular), the majority of the industry deals with "known vulnerabilities" that homogenously affect every install of the particular version of the affected software. This allows for several luxuries in dealing with these types of vulnerabilities:

• When a vulnerability is announced, everyone becomes aware of the vulnerability at the same time. Not all vulnerabilities that are discovered are announced, however.

• Everyone is affected by the vulerability in the same manner, allowing for a single solution to be applied usually a software patch from the software manufacturer.

• Since the vulnerability is identical across the board, a single "signature" of it can be created and applied to any number of scanners, firewalls, or intrusion detection devices.

In contrast to these network or OS vulnerabilities, most Web application vulnerabilities aren't "known" vulnerabilities. Since they exist in the Web application, which is almost always custom written, they are unique to that application. Of course, the technique or methodology might be well known (as SQL injection is well known), but not every Web application will be vulnerable to a certain technique, and even the ones that are will be vulnerable in unique areas in different ways.

This has a real impact on how you deal with Web app vulnerabilities; since they're your own custom-built vulnerabilities, you have to deal with them yourself. This means:

• You won't receive a vulnerability...