Because they are easily accessible and often serve as an entry point to valuable data, web applications are now—and always will be—a prime target for attack. Indeed, it is not surprising that hacktivist attacks taking down corporate and government sites, DDoS attacks against major financial institutions, and massive Web breaches resulting in millions of compromised credit card numbers and personal data records are in the headlines practically every week. Hidden behind the front page headlines, too, lurk tens of thousands of unreported breaches—unexplained website outages, temporary website defacements, small-scale fraud incidents—that never make their way into news articles. This is because cybercriminals don’t just target brand name companies; they are equal opportunists, constantly seeking out vulnerable sites to compromise, disable, or deface. And their weapons of choice are technical web attacks, business logic attacks, and fraud—which traditional network security defenses, like firewalls and intrusion prevention systems (IPSs), are largely incapable of preventing.