Web applications remain one of the most vulnerable parts of the enterprise computing infrastructure. Organizations have taken extraordinary measures over the past decade to shore up network security as well as platform and hardware security in the data center, but Web applications have generally been left behind. The complexity of Web applications combined with a lack of security awareness among developers leads to a woeful state of vulnerability to SQL injection and cross-site scripting (XSS), even though these types of attacks have been happening for years. Estimates from application security vendor WhiteHat indicate that