Web application security is at its worst : we almost always find flaws, this shows that developers did not take security aspects into account. And this may come from world class software companies (HSC)
For far too many development professionals, Web application security only consists of producing applications that are functional and stable, not building hacker protection into the code or checking for SQL injection vulnerabilities (Spi Dynamics)

Web protocols are not secure by default. But web application developers could strongly improve security standards with good coding principles. As M. Andrews and J. Whittaker mention in their Guide to Web Application Security : If developers only validated their inputs to what they are expecting to be given, rather than attempting to filter for malicious inputs (if at all), then 80-90% of web application vulnerabilities would go away. SQL Injection -- gone, XSS -- gone, parameter tampering -- gone.

This is not so simple. M. Graff and K. van Wyk in secure Coding: Principles and Practices (O'Reilly, 2003) believe there are three sets of factors that work against secure coding. If we refer to web applications coding :
- Technical factors (the underlying complexity of the task itself) : tens of scripts, languages (PHP, ASP, PERL, Python, JavaScript, ActiveX, SQL, ), applications, libraries, are developed either in-house, inside open-source communities or by software vendors. This generates complexity and implies extensive knowledge and controls.
- Psychological and human factors (the mental models) : you only see the errors you know ! And error checking, testing are not the most noble parts of programmers job ! Security holes often arise because user (or hacker !) unpredictable behavior was not taken into account. Or because, for instance, expected inputs were not specified enough !
- Real-world factors (economic and other social factors that work against security quality) : web programming is easier than assembler coding, writing a script or an HTML page does not require extensive experience and software engineer skills. Then come economic aspects : professional programmers are usually evaluated on how easily and fast they can write new software functionalities not on ability to secure code.
Unfortunately, from a software vendors perspective : launching a new product on time is more important than launching a secure(d) software !

Next part will talk about the limits of traditional tools

Richard Touret is manager at Binarysec, http://www.binarysec.com , security software company editing an intelligent web application softwall -or software firewall-. This Apache module adapts on most web sites, learning legitimate traffic to block any malicious request, including sql injection, cross-site scripting, directory traversal, forceful browsing, command injection, parameter tampering, attack obfuscation, buffer overflow, ...