For the past 20 years, organizations focused on protecting the network, but in the last 10 years, it has become clear that the core threat is access to the network. The network is just a means to an end. The threat has always been access to the private data and the applications or business functions that interact with data.

There are two fundamental categories that all application security products fall into: vulnerability prevention or threat detection. Enterprises are trying to manage a proactive preventive versus a more reactive detection-based strategy. What should be made clear is that no application security practice can achieve an acceptable amount of success without implementing both preventive and detection mechanisms.

Web application firewalls are a threat detection device. The primary purpose of a firewall is to detect and block invalid or malicious requests to your Web application. Web application scanners and source code analyzers are fundamentally prevention solutions. Application scanners and code analyzers are used prior to exposing vulnerabilities to the Web, and therefore enable definitive elimination of risk. There is also a balance between the amount of time you have to investigate the security stance of an application and the appropriate mixture of automated and manual approaches. Some detection mechanisms are well suited for short-term immediate protections.

The five critical vulnerabilities that could affect your web applications are these:

Cross-site scripting (XSS)
Cross-site scripting is one of the most predominant attacks against Web applications. It offers many of the same advantages to an attacker as the buffer overflow. It is relatively easy to implement and can cause the client’s browser to issue arbitrary client-side scripting code controlled by the attacker.

SQL injection
Injection flaws represent one of the predominant attacks carried out against today’s Web-based applications. The common theme of injection attacks is that somewhere in the source code there exists an interpreter taking in data and treating this data as a form of code. An SQL injection is a technique to inject database SQL commands by the user to get the commands issued by the SQL interpreter. Sometimes it takes iterations of attack strings to finally construct a properly formatted SQL string, which triggers an SQL injection attack. When the application returns details about the actual database error allowing the attacker to fine tune the syntax, this is typically referred to as normal SQL injection.

AJAX injection
AJAX injection is a relatively new type of attack that is not very common, but as the use of AJAX increases this might become a dangerous attack. An AJAX injection is a client-based JavaScript and XML framework.

Insecure communications
Insecure communications mainly refers to the use of secure sockets layer (SSL) to encrypt sensitive information between the client (usually a Web browser) and the Web application.This is extremely important to ensure that sensitive data is not transmitted in the clear, especially user authentication data and identifiable personal information.

Web services
As more and more organizations are moving to a service-oriented architecture (SOA), Web services are being heavily leveraged as the predominant enabling technology. Web services present a new input vector to an application and attacks against Web service-enabled applications are on the rise.

When looking for the correct web hosting plan for hosting your website, you can count on seeking4hosting.com. Featuring a complete web hosting matrix where you can search for web hosting providers filtering on your specific conditions such as price, frequency of payment, technologies offered, etc…it is really easy even for a novice webmaster to find the best quality hosting available for him. Also, there are plenty of articles related to web hosting and overall web site optimization.