Organised cyber-crime is the most frequent threat actor for web application attacks, and attacks like SQL injection grew 150% in 2015. Your web facing infrastructure and custom applications are being targeted daily.
Web applications are particularly attractive to attackers as by compromising them, they often gain a direct foothold in the data-center. Additionally, custom application code is usually not of the same quality as commercial off-the-shelf software, making it easier to find vulnerabilities in the business applications most large organisations build in-house.
Signature based solutions such as web-application firewalls can detect typical syntactical vulnerabilities, but business logic flaws and custom attacks are far more difficult. An attacker incrementing a numeric parameter or toggling a boolean value in the application may lead to security issues that are not flagged on these solutions.
The current approach of relying on web-application security audits and code-reviews can only go so far — applications change regularly, and the ability of security or QA staff to think of and test all possible vulnerable conditions makes for an extremely time-consuming and low coverage security control.
Until the day developers right perfect code, these flaws will continue to be a regular source of compromise. More than ever, companies need a solution that can detect the intent of an attacker who is targeting their web presence.