The proliferation of online applications and services is exposing users to security vulnerabilities that will be much harder to plug than those in traditional applications.

Online applications can suffer from a raft of vulnerabilities that allow attackers to steal confidential data from a server or the computer of a user that contacts the service.

The most prevalent examples of such attacks are cross site scripting (XSS) and SQL injection.

An SQL injection attack involves sending instructions to a database for a bank or shop by entering commands into online forms.

In an XSS attack, hackers submit JavaScript or other code to a website such as Gmail, MySpace or Digg. The code is then executed on the computer of each individual who visits the site.

The main problem lies in the large amount of custom code used to construct such applications, according to Caleb Sima, chief technology officer and co-founder of Spi Dynamics, a company specialising in web application security. 

Software vendors traditionally repair security vulnerabilities by issuing a patch to all their users, and a single Windows or Mac OS X update will protect millions of users within days.

But website operators have to manually detect and plug each vulnerability in their web application.

"Microsoft cannot come out with something that will solve all SQL injections, " Sima told vnunet.com in an interview at the RSA Conference in San Francisco.

He claimed that Spi Dynamics has a 99 per cent success rate in breaching the security of its clients' online applications.

"It is not the technology that is the problem. It is the implementation of the technology," he said. "People just take it and implement it without knowing what they are doing."

Attacks against internet applications can be prevented if the applications validate the code entered in online forms.

This ensures that attackers cannot insert commands such as single quotes and other strings that the database interprets as a command. But this is a mostly manual task.

Development frameworks such as Google's Web Toolkit, the open source Dojo project or Microsoft's ASP.Net Ajax 1.0 suite can provide some respite because they provide pre-built code that performs custom functions.  

Some tools also offer code-scanning features that warn developers when they leave common vulnerabilities in their code, but these will not prevent all SQL injection or XSS attacks.

The code for the online software is hosted on a company server, allowing developers to provide users with new features as soon as they have developed the code.

This leads to pressure from marketing and sales to quickly release new versions without first undergoing the proper security checks.

Sima is not entirely pessimistic, however, because IT executives are starting to pay more attention to the security of online applications.

But he warned that attackers are bound to turn their attention to new technologies in online applications such as the XML Path Language used to access portions of an XML document.

This could include a customer database or other confidential information.

"Because web services are more widely used, we will see a lot more web applications becoming vulnerable to Xpath injection by the end of this year," said Sima.