Talking about web application security lately is making me nuts. It's been about what, 12 years since we security folks started preaching about "firewalls", right? That took at least 5 years before anyone started taking firewalls with any serious thought - and now it's just a matter of need when building a network. People started putting in firewalls because servers got hacked, and bad things happened.
This got me thinking. Servers got hacked the "old fashioned way" which meant that a bad guy scanned one of the millions of IPs on the Internet, over the range of 65, 535 ports available looking for one to exploit, and then tried one of dozens of exploits available for any given listening service (such as an XP-on-Win32 exploit for DCOM). The odds of this were good - but the execution wasn't simple, and the attacker had to go find targets.
In comes the browser. Forget port-scanning, customizing exploits to processors + operating systems, listening services. Just craft an exploit that any standards-based browser can exploit, such as Cross-Site Scripting (XSS), reflect it to the victim (who is willingly coming to the attacker), and voila. Hacked.
The browser is such a double-edged sword... Users love it because it drives all the cool "web stuff" they can do like Facebook, MySpace, YouTube, and so on... and it's a hacker's dream. No longer does the attacker have to go out seeking servers with Internet-open ports to scan and victimize... the attacker simply follows the Kevin Costner (Field of Dreams) model... if you build it, they will come... and you can exploit them. This of course blows the firewalled machine model right out the window. It doesn't matter that they're firewalled, the avenue for exploit so much greater than a firewalled server.
... and people tell me that they just don't see the value in spending copious amounts of money and resources on securing web apps. Makes me crazy.