"The last two years have seen a significant surge in the amount
of web application specific vulnerabilities that are disclosed to
the public. No web application technology has shown itself
invulnerable, and discoveries are made every day that affect both
owners' and users' security and privacy.
"Security professionals have traditionally focused on network
and operating system security. Assessment services have relied
heavily on automated tools to help find holes in those layers.
Today's needs are different, and different tools are needed.
Despite this, the basic tennants of security design have not
changed. This document is an attempt to reconcile the lessons
learned in past decades with the unique challenges that the web
"While this document doesn't provide a silver bullet to cure all
the ills, we hope it goes a long way in taking the first step
towards helping people understand the inherent problems in web
applications and build more secure web applications and Web
Services in the future..."