According to statistics gathered by the Web Application Security Consortium and reported by Information Week, attacks against Web applications are on the rise. In fact, if the trend continues to the end of the year, 2006 will be the worst year on record for Web application security breaches. According to the article, this is happening for two reasons:
1. The prevalence and availability of tools that make it easier to find and exploit vulnerabilities in Web applications.
2. Web applications aren't often designed with security in mind.
There are even more reasons for this trend than those covered in the article, such as the emergence of worms and other automated attacks that target vulnerabilities in Web applications. Furthermore, knowledge of Web application attacks is becoming commonplace, reducing the average attacker's reliance on tools. Many attackers now need only a browser to wreak havoc in a poorly designed Web application.
The latter point, however, is the crux of the problem. Web applications that weren't designed with security in mind are far more likely to have problems later on. Even if the problems are discovered before they hit the news, it is costly and difficult to retrofit an application with security controls. On the other hand, when security is incorporated into the software development lifecycle from the beginning, the application is prone to fewer vulnerabilities and is much less likely to end up on the news because of an intrusion.