This year kicked off with yet another panic over a vulnerability in Windows, this time an image-handling flaw that exposed users to attack if they encountered a malicious Windows Metafile (WMF).

The WMF bug caused significant damage, but less than some expected, which may indicate that the industry is gradually learning to manage client security. Operating systems, even Windows, are getting more secure. Automatic software updates, running with limited user rights, safer web browsers and better firewalls are gradually making a difference.

By contrast, problems with web applications are harder to manage. One issue is the thousands of insecure PHP or other web scripts that get installed and are never updated, even when the programmers come up with fixes. The result is web servers that are vulnerable to attack.

Custom applications pose an even greater risk. Here, the onus is on developers to write secure code. That’s not easy, especially in an industry always under pressure to deliver rapid development and richer features. Security experts at Netcraft, which audits web applications, typically find problems such as weak session management, SQL injection risks, buffer overflows and vulnerable debug code mistakenly left in production applications.

Perhaps the biggest issue is cross-site scripting. In a paper presented at the JavaOne conference last year, Cisco security architect Martin Nystrom claimed that 95 percent of web applications have flaws, with 80 percent vulnerable to cross-site scripting attacks.

With this type of flaw, a web application is manoeuvred into running scripts that originate from other sites or from user input. The outcome might include sending confidential information to a hacker, or running malicious scripts with a high level of trust, or creating highly plausible phishing sites by URL redirection. The current trend towards rich browser applications, which make heavy use of client-side JavaScript and XML web services, is likely to increase the risk of cross-site scripting application flaws.

SQL injection, second on Nystrom’s list at 62 percent, is another major concern. If attackers are able to execute arbitrary queries or even updates against databases, the consequences are severe.

The implication for companies running web applications is that security deserves higher priority than it gets. There are tools that conduct automated audits, but they are prone to high levels of false positives, and cannot guarantee that every flaw is discovered. What counts for more is a development culture in which security is valued as highly as reliability.