Adding to the problem is the growing complexity of Web application environments, especially since most of them are designed to receive and process input from external sources, such as customers and business partners. Large Web applications can have hundreds of places where users input data, each of which offers an opportunity for an attacker to inject malicious code into the system.
Finding such vulnerabilities isn't easy, Wang said. And fixing them can be even harder because of the highly interconnected nature of Web applications. For example, fixing a code-injection error in a shopping cart function in an e-commerce application could require several tweaks to the entire application, she said.
Automated tools are available today to scan Web application code for errors and for penetration tests. While Web application firewalls, intrusion detection systems and data encryption measures can mitigate some of the risks, companies running Web applications still need to ensure that the underlying code is as clean as possible, according to analysts.