Web Application Security: The Land that Information Security Forgot Today, the vast majority of those within information security have heard about web application security and posses at least a vague understanding of the risks involved. However, the multitude of attacks which make this area of security important, for the most part, go undocumented, unexplained and misunderstood. As a result, our web applications become undefended and at the mercy of a determined attacker. In order to gain a deeper understanding of the threats, witnessing these attacks first hand is essential. Make no mistake, insecure and unprotected web applications are the fastest, easiest, and arguably the most utilized route to compromise networks and exploit users. What's worse is that conventional security measures lack the proper safeguards and offer little protection, resulting in nothing more than a "false sense of security". This discussion will cover theory surrounding some of the more dangerous web application attacks, examples of the attack in action, and possible countermeasures. Founder and chairman of WhiteHat Security, and former information security officer with Yahoo!. As information security officer at Yahoo!, Jeremiah was designing, auditing, and penetration-testing the huge company's web applications which demand highest security. During his past 5 years of employment, Jeremiah has been researching and applying information security with special emphasis on prevention of web application sabotage. Grossman has presented "Web Application Security" talks at many security conventions such as the Defcon, Air Force and Technology Conference, ToorCon, and others. Jeremiah is a lead contributor to the "Open Web Application Security Project" www.owasp.com and considered to be among the foremost web security experts.