Web application security deals with securing the actual application being served on a Web site, not the Web server, network, or operating system.

Web application security deals with your own software. It doesn't mean Trojans, viruses, spam, or Web filtering. These are all application- level issues that are important to life on the Net but have nothing to do with Web application security.

Web application security is a necessary complement to your efforts to secure your servers and networks. Without a secure application, the security in these other areas is undermined.

Network and operating systems security typically deals with "known" vulnerabilities.

Known vulnerabilities can benefit from a homogenous environment.

Most Web applications are custom developed so their vulnerabilities are unique to that application; they are not public, not "known."

The lack of security in Web applications can be generally contributed to the lack of security awareness in the Web development industry and lack of appropriate security testing.

Web hacking is an easy discipline and generally requires few tools.

Traditional perimeter security is generally ineffective against Web application exploits.

Web application vulnerabilities can exist in almost any facet of the application, from the logical construction of authentication mechanisms and session management down to individual function calls.

Search engines crawl only a portion of what's available to a hacker

Search engine hacking finds targets of opportunity, but don't rely...